npm - @trust-assurance-protocol/owaspscan - Versions diffs - 1.0.0 - Mend

@trust-assurance-protocol/owaspscan 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (221) hide show

package/dist/analysis/ast-analyzer.d.ts +13 -0
package/dist/analysis/ast-analyzer.d.ts.map +1 -0
package/dist/analysis/ast-analyzer.js +58 -0
package/dist/analysis/ast-analyzer.js.map +1 -0
package/dist/analysis/llm-verifier.d.ts +17 -0
package/dist/analysis/llm-verifier.d.ts.map +1 -0
package/dist/analysis/llm-verifier.js +152 -0
package/dist/analysis/llm-verifier.js.map +1 -0
package/dist/analysis/result-cache.d.ts +20 -0
package/dist/analysis/result-cache.d.ts.map +1 -0
package/dist/analysis/result-cache.js +70 -0
package/dist/analysis/result-cache.js.map +1 -0
package/dist/analysis/sinks.d.ts +12 -0
package/dist/analysis/sinks.d.ts.map +1 -0
package/dist/analysis/sinks.js +142 -0
package/dist/analysis/sinks.js.map +1 -0
package/dist/analysis/sources.d.ts +8 -0
package/dist/analysis/sources.d.ts.map +1 -0
package/dist/analysis/sources.js +114 -0
package/dist/analysis/sources.js.map +1 -0
package/dist/analysis/taint-engine.d.ts +5 -0
package/dist/analysis/taint-engine.d.ts.map +1 -0
package/dist/analysis/taint-engine.js +187 -0
package/dist/analysis/taint-engine.js.map +1 -0
package/dist/cli/index.d.ts +3 -0
package/dist/cli/index.d.ts.map +1 -0
package/dist/cli/index.js +227 -0
package/dist/cli/index.js.map +1 -0
package/dist/config/loader.d.ts +10 -0
package/dist/config/loader.d.ts.map +1 -0
package/dist/config/loader.js +81 -0
package/dist/config/loader.js.map +1 -0
package/dist/config/schema.d.ts +23 -0
package/dist/config/schema.d.ts.map +1 -0
package/dist/config/schema.js +17 -0
package/dist/config/schema.js.map +1 -0
package/dist/mcp/server.d.ts +2 -0
package/dist/mcp/server.d.ts.map +1 -0
package/dist/mcp/server.js +250 -0
package/dist/mcp/server.js.map +1 -0
package/dist/parsers/ast-parser.d.ts +38 -0
package/dist/parsers/ast-parser.d.ts.map +1 -0
package/dist/parsers/ast-parser.js +88 -0
package/dist/parsers/ast-parser.js.map +1 -0
package/dist/parsers/ast-queries.d.ts +63 -0
package/dist/parsers/ast-queries.d.ts.map +1 -0
package/dist/parsers/ast-queries.js +580 -0
package/dist/parsers/ast-queries.js.map +1 -0
package/dist/reporter/console.d.ts +8 -0
package/dist/reporter/console.d.ts.map +1 -0
package/dist/reporter/console.js +143 -0
package/dist/reporter/console.js.map +1 -0
package/dist/reporter/json.d.ts +3 -0
package/dist/reporter/json.d.ts.map +1 -0
package/dist/reporter/json.js +7 -0
package/dist/reporter/json.js.map +1 -0
package/dist/reporter/llm.d.ts +3 -0
package/dist/reporter/llm.d.ts.map +1 -0
package/dist/reporter/llm.js +66 -0
package/dist/reporter/llm.js.map +1 -0
package/dist/reporter/sarif.d.ts +3 -0
package/dist/reporter/sarif.d.ts.map +1 -0
package/dist/reporter/sarif.js +110 -0
package/dist/reporter/sarif.js.map +1 -0
package/dist/rules/owasp-a01/idor.d.ts +3 -0
package/dist/rules/owasp-a01/idor.d.ts.map +1 -0
package/dist/rules/owasp-a01/idor.js +48 -0
package/dist/rules/owasp-a01/idor.js.map +1 -0
package/dist/rules/owasp-a01/missing-auth-middleware.d.ts +3 -0
package/dist/rules/owasp-a01/missing-auth-middleware.d.ts.map +1 -0
package/dist/rules/owasp-a01/missing-auth-middleware.js +41 -0
package/dist/rules/owasp-a01/missing-auth-middleware.js.map +1 -0
package/dist/rules/owasp-a01/path-traversal.d.ts +3 -0
package/dist/rules/owasp-a01/path-traversal.d.ts.map +1 -0
package/dist/rules/owasp-a01/path-traversal.js +73 -0
package/dist/rules/owasp-a01/path-traversal.js.map +1 -0
package/dist/rules/owasp-a02/hardcoded-secrets.d.ts +3 -0
package/dist/rules/owasp-a02/hardcoded-secrets.d.ts.map +1 -0
package/dist/rules/owasp-a02/hardcoded-secrets.js +97 -0
package/dist/rules/owasp-a02/hardcoded-secrets.js.map +1 -0
package/dist/rules/owasp-a02/insecure-tls.d.ts +3 -0
package/dist/rules/owasp-a02/insecure-tls.d.ts.map +1 -0
package/dist/rules/owasp-a02/insecure-tls.js +75 -0
package/dist/rules/owasp-a02/insecure-tls.js.map +1 -0
package/dist/rules/owasp-a02/weak-hash.d.ts +3 -0
package/dist/rules/owasp-a02/weak-hash.d.ts.map +1 -0
package/dist/rules/owasp-a02/weak-hash.js +73 -0
package/dist/rules/owasp-a02/weak-hash.js.map +1 -0
package/dist/rules/owasp-a02/weak-random.d.ts +3 -0
package/dist/rules/owasp-a02/weak-random.d.ts.map +1 -0
package/dist/rules/owasp-a02/weak-random.js +70 -0
package/dist/rules/owasp-a02/weak-random.js.map +1 -0
package/dist/rules/owasp-a03/command-injection.d.ts +3 -0
package/dist/rules/owasp-a03/command-injection.d.ts.map +1 -0
package/dist/rules/owasp-a03/command-injection.js +79 -0
package/dist/rules/owasp-a03/command-injection.js.map +1 -0
package/dist/rules/owasp-a03/ldap-injection.d.ts +3 -0
package/dist/rules/owasp-a03/ldap-injection.d.ts.map +1 -0
package/dist/rules/owasp-a03/ldap-injection.js +56 -0
package/dist/rules/owasp-a03/ldap-injection.js.map +1 -0
package/dist/rules/owasp-a03/nosql-injection.d.ts +3 -0
package/dist/rules/owasp-a03/nosql-injection.d.ts.map +1 -0
package/dist/rules/owasp-a03/nosql-injection.js +61 -0
package/dist/rules/owasp-a03/nosql-injection.js.map +1 -0
package/dist/rules/owasp-a03/sql-injection.d.ts +3 -0
package/dist/rules/owasp-a03/sql-injection.d.ts.map +1 -0
package/dist/rules/owasp-a03/sql-injection.js +88 -0
package/dist/rules/owasp-a03/sql-injection.js.map +1 -0
package/dist/rules/owasp-a03/template-injection.d.ts +3 -0
package/dist/rules/owasp-a03/template-injection.d.ts.map +1 -0
package/dist/rules/owasp-a03/template-injection.js +64 -0
package/dist/rules/owasp-a03/template-injection.js.map +1 -0
package/dist/rules/owasp-a03/xss.d.ts +3 -0
package/dist/rules/owasp-a03/xss.d.ts.map +1 -0
package/dist/rules/owasp-a03/xss.js +74 -0
package/dist/rules/owasp-a03/xss.js.map +1 -0
package/dist/rules/owasp-a04/mass-assignment.d.ts +3 -0
package/dist/rules/owasp-a04/mass-assignment.d.ts.map +1 -0
package/dist/rules/owasp-a04/mass-assignment.js +63 -0
package/dist/rules/owasp-a04/mass-assignment.js.map +1 -0
package/dist/rules/owasp-a04/missing-rate-limit.d.ts +3 -0
package/dist/rules/owasp-a04/missing-rate-limit.d.ts.map +1 -0
package/dist/rules/owasp-a04/missing-rate-limit.js +48 -0
package/dist/rules/owasp-a04/missing-rate-limit.js.map +1 -0
package/dist/rules/owasp-a05/cors-wildcard.d.ts +3 -0
package/dist/rules/owasp-a05/cors-wildcard.d.ts.map +1 -0
package/dist/rules/owasp-a05/cors-wildcard.js +79 -0
package/dist/rules/owasp-a05/cors-wildcard.js.map +1 -0
package/dist/rules/owasp-a05/debug-mode.d.ts +3 -0
package/dist/rules/owasp-a05/debug-mode.d.ts.map +1 -0
package/dist/rules/owasp-a05/debug-mode.js +73 -0
package/dist/rules/owasp-a05/debug-mode.js.map +1 -0
package/dist/rules/owasp-a05/default-credentials.d.ts +3 -0
package/dist/rules/owasp-a05/default-credentials.d.ts.map +1 -0
package/dist/rules/owasp-a05/default-credentials.js +52 -0
package/dist/rules/owasp-a05/default-credentials.js.map +1 -0
package/dist/rules/owasp-a05/error-disclosure.d.ts +3 -0
package/dist/rules/owasp-a05/error-disclosure.d.ts.map +1 -0
package/dist/rules/owasp-a05/error-disclosure.js +70 -0
package/dist/rules/owasp-a05/error-disclosure.js.map +1 -0
package/dist/rules/owasp-a06/outdated-packages.d.ts +3 -0
package/dist/rules/owasp-a06/outdated-packages.d.ts.map +1 -0
package/dist/rules/owasp-a06/outdated-packages.js +75 -0
package/dist/rules/owasp-a06/outdated-packages.js.map +1 -0
package/dist/rules/owasp-a07/insecure-cookies.d.ts +3 -0
package/dist/rules/owasp-a07/insecure-cookies.d.ts.map +1 -0
package/dist/rules/owasp-a07/insecure-cookies.js +64 -0
package/dist/rules/owasp-a07/insecure-cookies.js.map +1 -0
package/dist/rules/owasp-a07/jwt-none-alg.d.ts +3 -0
package/dist/rules/owasp-a07/jwt-none-alg.d.ts.map +1 -0
package/dist/rules/owasp-a07/jwt-none-alg.js +81 -0
package/dist/rules/owasp-a07/jwt-none-alg.js.map +1 -0
package/dist/rules/owasp-a07/no-password-hashing.d.ts +3 -0
package/dist/rules/owasp-a07/no-password-hashing.d.ts.map +1 -0
package/dist/rules/owasp-a07/no-password-hashing.js +70 -0
package/dist/rules/owasp-a07/no-password-hashing.js.map +1 -0
package/dist/rules/owasp-a07/weak-session.d.ts +3 -0
package/dist/rules/owasp-a07/weak-session.d.ts.map +1 -0
package/dist/rules/owasp-a07/weak-session.js +64 -0
package/dist/rules/owasp-a07/weak-session.js.map +1 -0
package/dist/rules/owasp-a08/unsafe-deserialization.d.ts +3 -0
package/dist/rules/owasp-a08/unsafe-deserialization.d.ts.map +1 -0
package/dist/rules/owasp-a08/unsafe-deserialization.js +78 -0
package/dist/rules/owasp-a08/unsafe-deserialization.js.map +1 -0
package/dist/rules/owasp-a08/unsafe-eval.d.ts +3 -0
package/dist/rules/owasp-a08/unsafe-eval.d.ts.map +1 -0
package/dist/rules/owasp-a08/unsafe-eval.js +73 -0
package/dist/rules/owasp-a08/unsafe-eval.js.map +1 -0
package/dist/rules/owasp-a09/log-sensitive-data.d.ts +3 -0
package/dist/rules/owasp-a09/log-sensitive-data.d.ts.map +1 -0
package/dist/rules/owasp-a09/log-sensitive-data.js +73 -0
package/dist/rules/owasp-a09/log-sensitive-data.js.map +1 -0
package/dist/rules/owasp-a09/missing-error-handling.d.ts +3 -0
package/dist/rules/owasp-a09/missing-error-handling.d.ts.map +1 -0
package/dist/rules/owasp-a09/missing-error-handling.js +84 -0
package/dist/rules/owasp-a09/missing-error-handling.js.map +1 -0
package/dist/rules/owasp-a10/open-redirect.d.ts +3 -0
package/dist/rules/owasp-a10/open-redirect.d.ts.map +1 -0
package/dist/rules/owasp-a10/open-redirect.js +67 -0
package/dist/rules/owasp-a10/open-redirect.js.map +1 -0
package/dist/rules/owasp-a10/unvalidated-fetch.d.ts +3 -0
package/dist/rules/owasp-a10/unvalidated-fetch.d.ts.map +1 -0
package/dist/rules/owasp-a10/unvalidated-fetch.js +85 -0
package/dist/rules/owasp-a10/unvalidated-fetch.js.map +1 -0
package/dist/rules/registry.d.ts +20 -0
package/dist/rules/registry.d.ts.map +1 -0
package/dist/rules/registry.js +142 -0
package/dist/rules/registry.js.map +1 -0
package/dist/scanner/engine.d.ts +21 -0
package/dist/scanner/engine.d.ts.map +1 -0
package/dist/scanner/engine.js +260 -0
package/dist/scanner/engine.js.map +1 -0
package/dist/scanner/file-walker.d.ts +7 -0
package/dist/scanner/file-walker.d.ts.map +1 -0
package/dist/scanner/file-walker.js +81 -0
package/dist/scanner/file-walker.js.map +1 -0
package/dist/scanner/language-detect.d.ts +5 -0
package/dist/scanner/language-detect.d.ts.map +1 -0
package/dist/scanner/language-detect.js +91 -0
package/dist/scanner/language-detect.js.map +1 -0
package/dist/scanner/sca-scanner.d.ts +38 -0
package/dist/scanner/sca-scanner.d.ts.map +1 -0
package/dist/scanner/sca-scanner.js +223 -0
package/dist/scanner/sca-scanner.js.map +1 -0
package/dist/types/index.d.ts +114 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +25 -0
package/dist/types/index.js.map +1 -0
package/dist/utils/pattern-matcher.d.ts +4 -0
package/dist/utils/pattern-matcher.d.ts.map +1 -0
package/dist/utils/pattern-matcher.js +72 -0
package/dist/utils/pattern-matcher.js.map +1 -0
package/dist/utils/scoring.d.ts +8 -0
package/dist/utils/scoring.d.ts.map +1 -0
package/dist/utils/scoring.js +76 -0
package/dist/utils/scoring.js.map +1 -0
package/dist/utils/suppression.d.ts +3 -0
package/dist/utils/suppression.d.ts.map +1 -0
package/dist/utils/suppression.js +33 -0
package/dist/utils/suppression.js.map +1 -0
package/package.json +94 -0

package/dist/rules/owasp-a08/unsafe-deserialization.js ADDED Viewed

@@ -0,0 +1,78 @@
+// OWASP A08:2021 — Software and Data Integrity Failures
+// Rule: Unsafe deserialization of untrusted data
+export const UnsafeDeserialization = {
+    id: 'OWASP-A08-002',
+    name: 'Unsafe Deserialization of Untrusted Data',
+    owasp: 'A08:2021',
+    cwe: 'CWE-502',
+    severity: 'CRITICAL',
+    languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby'],
+    description: 'Deserializing objects from untrusted sources (request body, cookies, network) ' +
+        'using formats that support class instantiation (pickle, PHP serialize, Java ObjectInputStream, ' +
+        'node-serialize). Attackers craft payloads that execute code during deserialization.',
+    patterns: [
+        {
+            // Python pickle.loads with untrusted data
+            pattern: /pickle\s*\.\s*(?:loads|load)\s*\(\s*(?:request\.|req\.|data\.|body\.|socket\.|recv)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python pickle.loads from base64-decoded user data
+            pattern: /pickle\s*\.\s*loads\s*\(\s*(?:base64\.b64decode|b64decode)\s*\(/gi,
+            requiresContext: /(?:request\.|req\.|cookie|header|data|body|input)/i,
+            snippetLines: 5,
+        },
+        {
+            // PHP: unserialize with user input
+            pattern: /unserialize\s*\(\s*\$_(?:GET|POST|REQUEST|COOKIE|SESSION)\s*\[/gi,
+            snippetLines: 3,
+        },
+        {
+            // Java: ObjectInputStream.readObject with untrusted data
+            pattern: /new\s+ObjectInputStream\s*\(\s*(?:socket|request|connection|input)\.getInputStream/gi,
+            snippetLines: 3,
+        },
+        {
+            // Java: XMLDecoder with user input
+            pattern: /new\s+XMLDecoder\s*\(\s*(?!.*ResourceBundle)/gi,
+            requiresContext: /(?:request|socket|stream|input|data)/i,
+            snippetLines: 5,
+        },
+        {
+            // Node.js: node-serialize
+            pattern: /(?:require|import)\s*\(\s*['"`]node-serialize['"`]\s*\)/gi,
+            snippetLines: 1,
+        },
+        {
+            // Ruby: Marshal.load with user data
+            pattern: /Marshal\s*\.\s*load\s*\(\s*(?:params|request\.|cookie|Base64\.decode|data)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Avoid serialization formats that support object instantiation (pickle, PHP serialize, Java ObjectInputStream).\n\n' +
+        '// Use safe alternatives:\n' +
+        '// JSON (no code execution, only data):\n' +
+        'const data = JSON.parse(req.body); // safe — JSON is data-only\n\n' +
+        '// Python — use JSON instead of pickle:\n' +
+        'import json\n' +
+        'data = json.loads(request.data)  # safe — no code execution\n\n' +
+        '// If you must use pickle (internal only):\n' +
+        '# Use cryptographic MAC to verify data integrity before deserializing:\n' +
+        'import hmac, hashlib, pickle\n' +
+        'def safe_loads(data: bytes, secret: bytes) -> object:\n' +
+        '    mac, payload = data[:32], data[32:]\n' +
+        '    expected = hmac.new(secret, payload, hashlib.sha256).digest()\n' +
+        '    if not hmac.compare_digest(mac, expected):\n' +
+        '        raise ValueError("Data integrity check failed")\n' +
+        '    return pickle.loads(payload)\n\n' +
+        '// Java — use JSON (Jackson/Gson) with type allowlisting:\n' +
+        'ObjectMapper mapper = new ObjectMapper();\n' +
+        'mapper.activateDefaultTyping(PTF, ObjectMapper.DefaultTyping.NON_FINAL);',
+    references: [
+        'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/',
+        'https://cwe.mitre.org/data/definitions/502.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html',
+    ],
+    tags: ['deserialization', 'pickle', 'integrity', 'rce', 'object-injection'],
+};
+//# sourceMappingURL=unsafe-deserialization.js.map

package/dist/rules/owasp-a08/unsafe-deserialization.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unsafe-deserialization.js","sourceRoot":"","sources":["../../../src/rules/owasp-a08/unsafe-deserialization.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,iDAAiD;AAIjD,MAAM,CAAC,MAAM,qBAAqB,GAAS;IACzC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,0CAA0C;IAChD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;IACxE,WAAW,EACT,gFAAgF;QAChF,iGAAiG;QACjG,qFAAqF;IACvF,QAAQ,EAAE;QACR;YACE,0CAA0C;YAC1C,OAAO,EACL,uFAAuF;YACzF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oDAAoD;YACpD,OAAO,EACL,mEAAmE;YACrE,eAAe,EAAE,oDAAoD;YACrE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mCAAmC;YACnC,OAAO,EACL,kEAAkE;YACpE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yDAAyD;YACzD,OAAO,EACL,sFAAsF;YACxF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mCAAmC;YACnC,OAAO,EACL,gDAAgD;YAClD,eAAe,EAAE,uCAAuC;YACxD,YAAY,EAAE,CAAC;SAChB;QACD;YACE,0BAA0B;YAC1B,OAAO,EAAE,2DAA2D;YACpE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oCAAoC;YACpC,OAAO,EACL,8EAA8E;YAChF,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,oHAAoH;QACpH,6BAA6B;QAC7B,2CAA2C;QAC3C,oEAAoE;QACpE,2CAA2C;QAC3C,eAAe;QACf,iEAAiE;QACjE,8CAA8C;QAC9C,0EAA0E;QAC1E,gCAAgC;QAChC,yDAAyD;QACzD,2CAA2C;QAC3C,qEAAqE;QACrE,kDAAkD;QAClD,2DAA2D;QAC3D,sCAAsC;QACtC,6DAA6D;QAC7D,6CAA6C;QAC7C,0EAA0E;IAC5E,UAAU,EAAE;QACV,wEAAwE;QACxE,iDAAiD;QACjD,iFAAiF;KAClF;IACD,IAAI,EAAE,CAAC,iBAAiB,EAAE,QAAQ,EAAE,WAAW,EAAE,KAAK,EAAE,kBAAkB,CAAC;CAC5E,CAAC"}

package/dist/rules/owasp-a08/unsafe-eval.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const UnsafeEval: Rule;
+//# sourceMappingURL=unsafe-eval.d.ts.map

package/dist/rules/owasp-a08/unsafe-eval.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"unsafe-eval.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a08/unsafe-eval.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,UAAU,EAAE,IA2ExB,CAAC"}

package/dist/rules/owasp-a08/unsafe-eval.js ADDED Viewed

@@ -0,0 +1,73 @@
+// OWASP A08:2021 — Software and Data Integrity Failures
+// Rule: eval() / Function() constructor with dynamic/user content
+export const UnsafeEval = {
+    id: 'OWASP-A08-001',
+    name: 'Unsafe Use of eval() or Dynamic Code Execution',
+    owasp: 'A08:2021',
+    cwe: 'CWE-95',
+    severity: 'CRITICAL',
+    languages: ['javascript', 'typescript', 'python', 'ruby', 'php'],
+    description: 'eval(), new Function(), or exec() used to evaluate user-controlled or externally-sourced ' +
+        'strings as code. This enables arbitrary code execution on the server or client. ' +
+        'AI tools sometimes suggest eval() for JSON parsing or dynamic property access.',
+    patterns: [
+        {
+            // JS: eval() with any non-literal argument
+            pattern: /\beval\s*\(\s*(?!['"`][^'"`]*['"`]\s*\))/gi,
+            snippetLines: 3,
+        },
+        {
+            // JS: new Function() constructor with user input
+            pattern: /new\s+Function\s*\([^)]*(?:req\.|request\.|input\.|user\.|data\.|\+\s*\w)/gi,
+            snippetLines: 3,
+        },
+        {
+            // JS: setTimeout/setInterval with string (deprecated, evaluates as eval)
+            pattern: /(?:setTimeout|setInterval)\s*\(\s*(?:['"`][^'"`]*['"`]\s*\+|`[^`]*\$\{)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python: exec() / eval() with user input
+            pattern: /\b(?:exec|eval)\s*\(\s*(?:request\.|req\.|input\.|data\.|user\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python: exec() with string concatenation
+            pattern: /\bexec\s*\(\s*['"`][^'"`]*['"`]\s*\+/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: eval() — almost always dangerous
+            pattern: /\beval\s*\(\s*\$/gi,
+            snippetLines: 3,
+        },
+        {
+            // Ruby: eval / instance_eval with user input
+            pattern: /\beval\s*\(\s*(?:params|request\.|req\.)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Avoid eval() and dynamic code execution entirely.\n\n' +
+        '// BAD — JSON parsing with eval:\n' +
+        'const data = eval("(" + jsonString + ")");\n\n' +
+        '// GOOD:\n' +
+        'const data = JSON.parse(jsonString); // throws on invalid JSON\n\n' +
+        '// BAD — dynamic property access:\n' +
+        'eval(`obj.${userProperty} = value`);\n\n' +
+        '// GOOD:\n' +
+        'const ALLOWED_PROPS = ["name", "email"]; // whitelist\n' +
+        'if (ALLOWED_PROPS.includes(userProperty)) {\n' +
+        '  obj[userProperty] = value;\n' +
+        '}\n\n' +
+        '// Python — never exec user input:\n' +
+        '# Use ast.literal_eval() for safe evaluation of literals:\n' +
+        'import ast\n' +
+        'value = ast.literal_eval(user_string)  # only allows literals, not expressions',
+    references: [
+        'https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/',
+        'https://cwe.mitre.org/data/definitions/95.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html',
+    ],
+    tags: ['eval', 'code-injection', 'rce', 'integrity'],
+};
+//# sourceMappingURL=unsafe-eval.js.map

package/dist/rules/owasp-a08/unsafe-eval.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unsafe-eval.js","sourceRoot":"","sources":["../../../src/rules/owasp-a08/unsafe-eval.ts"],"names":[],"mappings":"AAAA,wDAAwD;AACxD,kEAAkE;AAIlE,MAAM,CAAC,MAAM,UAAU,GAAS;IAC9B,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,gDAAgD;IACtD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,QAAQ;IACb,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC;IAChE,WAAW,EACT,2FAA2F;QAC3F,kFAAkF;QAClF,gFAAgF;IAClF,QAAQ,EAAE;QACR;YACE,2CAA2C;YAC3C,OAAO,EAAE,4CAA4C;YACrD,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iDAAiD;YACjD,OAAO,EACL,6EAA6E;YAC/E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yEAAyE;YACzE,OAAO,EACL,2EAA2E;YAC7E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,0CAA0C;YAC1C,OAAO,EACL,oEAAoE;YACtE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,2CAA2C;YAC3C,OAAO,EAAE,wCAAwC;YACjD,YAAY,EAAE,CAAC;SAChB;QACD;YACE,wCAAwC;YACxC,OAAO,EAAE,oBAAoB;YAC7B,YAAY,EAAE,CAAC;SAChB;QACD;YACE,6CAA6C;YAC7C,OAAO,EACL,4CAA4C;YAC9C,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,uDAAuD;QACvD,oCAAoC;QACpC,gDAAgD;QAChD,YAAY;QACZ,oEAAoE;QACpE,qCAAqC;QACrC,0CAA0C;QAC1C,YAAY;QACZ,yDAAyD;QACzD,+CAA+C;QAC/C,gCAAgC;QAChC,OAAO;QACP,sCAAsC;QACtC,6DAA6D;QAC7D,cAAc;QACd,gFAAgF;IAClF,UAAU,EAAE;QACV,wEAAwE;QACxE,gDAAgD;QAChD,sFAAsF;KACvF;IACD,IAAI,EAAE,CAAC,MAAM,EAAE,gBAAgB,EAAE,KAAK,EAAE,WAAW,CAAC;CACrD,CAAC"}

package/dist/rules/owasp-a09/log-sensitive-data.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const LogSensitiveData: Rule;
+//# sourceMappingURL=log-sensitive-data.d.ts.map

package/dist/rules/owasp-a09/log-sensitive-data.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"log-sensitive-data.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a09/log-sensitive-data.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,gBAAgB,EAAE,IA6E9B,CAAC"}

package/dist/rules/owasp-a09/log-sensitive-data.js ADDED Viewed

@@ -0,0 +1,73 @@
+// OWASP A09:2021 — Security Logging and Monitoring Failures
+// Rule: Sensitive data (passwords, tokens, PII) written to logs
+export const LogSensitiveData = {
+    id: 'OWASP-A09-001',
+    name: 'Sensitive Data Logged to Console or Log Files',
+    owasp: 'A09:2021',
+    cwe: 'CWE-532',
+    severity: 'HIGH',
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'ruby', 'php'],
+    description: 'Passwords, tokens, credit card numbers, social security numbers, or full request bodies ' +
+        'with sensitive fields logged to console or log files. Log files are often stored insecurely, ' +
+        'forwarded to third-party logging services, or accessible to operations staff. ' +
+        'AI tools routinely log entire request objects for debugging.',
+    patterns: [
+        {
+            // console.log with sensitive variable names.
+            // [^)'"`]* stops at any quote character so we don't match keywords that
+            // appear only inside string/template-literal labels like console.log("Key count:", n).
+            // Only matches when the sensitive word appears as an identifier in the argument.
+            pattern: /console\s*\.\s*(?:log|debug|info|warn|error)\s*\([^)'"`]*(?:password|passwd|pwd|secret|token|apiKey|privateKey|accessKey|secretKey|authToken|bearerToken|ssn|cvv|credit_card|creditCard|authorization)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Logging entire req.body (may contain passwords)
+            pattern: /(?:console|logger|log)\s*\.\s*(?:log|debug|info)\s*\([^)'"`]*req\s*\.\s*body\s*\)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python logging sensitive fields — stop at quotes to avoid matching string labels
+            pattern: /(?:logging|logger)\s*\.\s*(?:debug|info|warning|error|critical)\s*\([^)'"`]*(?:password|passwd|token|secret|apiKey|privateKey|ssn|cvv)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python print with sensitive data — require identifier context, not string label
+            pattern: /\bprint\s*\([^)'"`]*(?:password|passwd|token|secret|apiKey|privateKey|ssn|cvv|credit_card)\s*(?:=|,|\))/gi,
+            snippetLines: 3,
+        },
+        {
+            // Java logging sensitive params — stop at quotes
+            pattern: /(?:log|logger)\s*\.\s*(?:debug|info|warn|error|trace)\s*\([^)'"`]*(?:password|passwd|token|secret|authorization)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Go: log.Printf/Println with sensitive identifiers — stop at quotes
+            pattern: /(?:log|logger)\s*\.\s*(?:Printf|Println|Print|Debugf|Infof)\s*\([^)'"`]*(?:password|passwd|token|secret|apiKey|privateKey)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Scrub sensitive fields from log output. Log security events (login attempts) without logging the values.\n\n' +
+        '// BAD:\n' +
+        'console.log("Login attempt", req.body); // logs password!\n\n' +
+        '// GOOD — log only safe fields:\n' +
+        'logger.info({ email: req.body.email, ip: req.ip }, "Login attempt");\n\n' +
+        '// Use a log scrubbing library:\n' +
+        'import pino from "pino";\n' +
+        'const logger = pino({\n' +
+        '  redact: {\n' +
+        '    paths: ["*.password", "*.token", "*.secret", "*.authorization", "*.cvv"],\n' +
+        '    censor: "[REDACTED]",\n' +
+        '  },\n' +
+        '});\n\n' +
+        '// Python — use a log filter:\n' +
+        'SENSITIVE_KEYS = {"password", "token", "secret", "key"}\n' +
+        'def scrub(data: dict) -> dict:\n' +
+        '    return {k: "[REDACTED]" if k in SENSITIVE_KEYS else v for k, v in data.items()}',
+    references: [
+        'https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/',
+        'https://cwe.mitre.org/data/definitions/532.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html',
+    ],
+    tags: ['logging', 'pii', 'sensitive-data', 'information-disclosure'],
+};
+//# sourceMappingURL=log-sensitive-data.js.map

package/dist/rules/owasp-a09/log-sensitive-data.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"log-sensitive-data.js","sourceRoot":"","sources":["../../../src/rules/owasp-a09/log-sensitive-data.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,gEAAgE;AAIhE,MAAM,CAAC,MAAM,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,+CAA+C;IACrD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,MAAM;IAChB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC;IAC9E,WAAW,EACT,0FAA0F;QAC1F,+FAA+F;QAC/F,gFAAgF;QAChF,8DAA8D;IAChE,QAAQ,EAAE;QACR;YACE,6CAA6C;YAC7C,wEAAwE;YACxE,uFAAuF;YACvF,iFAAiF;YACjF,OAAO,EACL,0MAA0M;YAC5M,YAAY,EAAE,CAAC;SAChB;QACD;YACE,kDAAkD;YAClD,OAAO,EACL,qFAAqF;YACvF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mFAAmF;YACnF,OAAO,EACL,0IAA0I;YAC5I,YAAY,EAAE,CAAC;SAChB;QACD;YACE,kFAAkF;YAClF,OAAO,EACL,2GAA2G;YAC7G,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iDAAiD;YACjD,OAAO,EACL,oHAAoH;YACtH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,qEAAqE;YACrE,OAAO,EACL,8HAA8H;YAChI,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,8GAA8G;QAC9G,WAAW;QACX,+DAA+D;QAC/D,mCAAmC;QACnC,0EAA0E;QAC1E,mCAAmC;QACnC,4BAA4B;QAC5B,yBAAyB;QACzB,eAAe;QACf,iFAAiF;QACjF,6BAA6B;QAC7B,QAAQ;QACR,SAAS;QACT,iCAAiC;QACjC,2DAA2D;QAC3D,kCAAkC;QAClC,qFAAqF;IACvF,UAAU,EAAE;QACV,4EAA4E;QAC5E,iDAAiD;QACjD,yEAAyE;KAC1E;IACD,IAAI,EAAE,CAAC,SAAS,EAAE,KAAK,EAAE,gBAAgB,EAAE,wBAAwB,CAAC;CACrE,CAAC"}

package/dist/rules/owasp-a09/missing-error-handling.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const MissingErrorHandling: Rule;
+//# sourceMappingURL=missing-error-handling.d.ts.map

package/dist/rules/owasp-a09/missing-error-handling.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"missing-error-handling.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a09/missing-error-handling.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,oBAAoB,EAAE,IAkFlC,CAAC"}

package/dist/rules/owasp-a09/missing-error-handling.js ADDED Viewed

@@ -0,0 +1,84 @@
+// OWASP A09:2021 — Security Logging and Monitoring Failures
+// Rule: Missing error handling or silent error swallowing
+export const MissingErrorHandling = {
+    id: 'OWASP-A09-002',
+    name: 'Silent Error Swallowing or Missing Error Handler',
+    owasp: 'A09:2021',
+    cwe: 'CWE-390',
+    severity: 'MEDIUM',
+    languages: ['javascript', 'typescript', 'python', 'java', 'go'],
+    description: 'Errors caught and silently ignored (empty catch blocks) or unhandled promise rejections. ' +
+        'Silent failures mask security events — failed authentication attempts, injection attempts, ' +
+        'and authorization failures go undetected and unmonitored.',
+    patterns: [
+        {
+            // Empty catch block
+            pattern: /catch\s*\(\s*\w+\s*\)\s*\{\s*\}/g,
+            snippetLines: 3,
+        },
+        {
+            // catch block with only a comment — suppress when developer explains the rationale
+            // (e.g. "// Ignore parse errors", "// Silently ignore failed images")
+            // These are intentional decisions, not forgotten error handling.
+            pattern: /catch\s*\(\s*\w+\s*\)\s*\{\s*\/\/[^\n]*\n\s*\}/g,
+            suppressIf: /catch\s*\([^)]*\)\s*\{\s*\/\/[^\n]*(?:ignore|intentional|silent|expected|safe|ok|ping|pong|frame|image|avatar|optional|fallback|non-?fatal|best.?effort)\b/i,
+            snippetLines: 3,
+        },
+        {
+            // Catch that only reassigns (no logging, no rethrow)
+            pattern: /catch\s*\(\s*\w+\s*\)\s*\{\s*(?:return\s+(?:null|undefined|false|0|{}\s*|\[\]\s*))\s*\}/g,
+            snippetLines: 3,
+        },
+        {
+            // Python: bare except pass
+            pattern: /except\s*(?:\w+\s*)?:\s*\n\s*pass\b/g,
+            snippetLines: 3,
+        },
+        {
+            // Python: except with only comment
+            pattern: /except\s*(?:\w+\s*)?:\s*\n\s*#[^\n]*\n\s*pass\b/g,
+            snippetLines: 3,
+        },
+        {
+            // Unhandled promise: .catch(() => {}) or .catch(err => {})
+            pattern: /\.catch\s*\(\s*(?:\(\s*\w*\s*\)|_)\s*=>\s*\{\s*\}\s*\)/g,
+            snippetLines: 3,
+        },
+        {
+            // Go: ignoring error return value with blank identifier
+            pattern: /\w+\s*,\s*_\s*:?=\s*(?:db\.|sql\.|os\.|http\.|io\.|json\.)/g,
+            requiresContext: /(?:err|error|sql\.|db\.|query|connect|read|write)/i,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Log and handle all errors. Use a centralized error handler.\n\n' +
+        '// BAD:\n' +
+        'try {\n' +
+        '  await db.query(sql);\n' +
+        '} catch (err) {} // silent failure!\n\n' +
+        '// GOOD:\n' +
+        'try {\n' +
+        '  await db.query(sql);\n' +
+        '} catch (err) {\n' +
+        '  logger.error({ err, sql }, "Database query failed");\n' +
+        '  throw err; // re-throw or handle appropriately\n' +
+        '}\n\n' +
+        '// Unhandled promise rejections:\n' +
+        'process.on("unhandledRejection", (reason, promise) => {\n' +
+        '  logger.fatal({ reason }, "Unhandled promise rejection");\n' +
+        '  process.exit(1);\n' +
+        '});\n\n' +
+        '// Python:\n' +
+        'try:\n' +
+        '    result = db.execute(query)\n' +
+        'except Exception:\n' +
+        '    logger.exception("Database error")  # logs traceback\n' +
+        '    raise  # re-raise — do not swallow',
+    references: [
+        'https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/',
+        'https://cwe.mitre.org/data/definitions/390.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Error_Handling_Cheat_Sheet.html',
+    ],
+    tags: ['error-handling', 'logging', 'monitoring', 'silent-failure'],
+};
+//# sourceMappingURL=missing-error-handling.js.map

package/dist/rules/owasp-a09/missing-error-handling.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"missing-error-handling.js","sourceRoot":"","sources":["../../../src/rules/owasp-a09/missing-error-handling.ts"],"names":[],"mappings":"AAAA,4DAA4D;AAC5D,0DAA0D;AAI1D,MAAM,CAAC,MAAM,oBAAoB,GAAS;IACxC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,kDAAkD;IACxD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,QAAQ;IAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC;IAC/D,WAAW,EACT,2FAA2F;QAC3F,6FAA6F;QAC7F,2DAA2D;IAC7D,QAAQ,EAAE;QACR;YACE,oBAAoB;YACpB,OAAO,EAAE,kCAAkC;YAC3C,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mFAAmF;YACnF,sEAAsE;YACtE,iEAAiE;YACjE,OAAO,EAAE,iDAAiD;YAC1D,UAAU,EAAE,6JAA6J;YACzK,YAAY,EAAE,CAAC;SAChB;QACD;YACE,qDAAqD;YACrD,OAAO,EAAE,0FAA0F;YACnG,YAAY,EAAE,CAAC;SAChB;QACD;YACE,2BAA2B;YAC3B,OAAO,EAAE,sCAAsC;YAC/C,YAAY,EAAE,CAAC;SAChB;QACD;YACE,mCAAmC;YACnC,OAAO,EAAE,kDAAkD;YAC3D,YAAY,EAAE,CAAC;SAChB;QACD;YACE,2DAA2D;YAC3D,OAAO,EAAE,yDAAyD;YAClE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,wDAAwD;YACxD,OAAO,EAAE,6DAA6D;YACtE,eAAe,EAAE,oDAAoD;YACrE,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,iEAAiE;QACjE,WAAW;QACX,SAAS;QACT,0BAA0B;QAC1B,yCAAyC;QACzC,YAAY;QACZ,SAAS;QACT,0BAA0B;QAC1B,mBAAmB;QACnB,0DAA0D;QAC1D,oDAAoD;QACpD,OAAO;QACP,oCAAoC;QACpC,2DAA2D;QAC3D,8DAA8D;QAC9D,sBAAsB;QACtB,SAAS;QACT,cAAc;QACd,QAAQ;QACR,kCAAkC;QAClC,qBAAqB;QACrB,4DAA4D;QAC5D,wCAAwC;IAC1C,UAAU,EAAE;QACV,4EAA4E;QAC5E,iDAAiD;QACjD,gFAAgF;KACjF;IACD,IAAI,EAAE,CAAC,gBAAgB,EAAE,SAAS,EAAE,YAAY,EAAE,gBAAgB,CAAC;CACpE,CAAC"}

package/dist/rules/owasp-a10/open-redirect.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const OpenRedirect: Rule;
+//# sourceMappingURL=open-redirect.d.ts.map

package/dist/rules/owasp-a10/open-redirect.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"open-redirect.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a10/open-redirect.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,YAAY,EAAE,IAsE1B,CAAC"}

package/dist/rules/owasp-a10/open-redirect.js ADDED Viewed

@@ -0,0 +1,67 @@
+// OWASP A10:2021 — Server-Side Request Forgery (SSRF)
+// Rule: Open Redirect via unsanitized redirect URL
+export const OpenRedirect = {
+    id: 'OWASP-A10-002',
+    name: 'Open Redirect via Unsanitized URL Parameter',
+    owasp: 'A10:2021',
+    cwe: 'CWE-601',
+    severity: 'MEDIUM',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'ruby'],
+    description: 'Server redirects users to a URL taken from request parameters without validation. ' +
+        'Attackers use this for phishing (myapp.com/redirect?to=evil.com) or to bypass ' +
+        'same-origin checks. AI tools frequently generate res.redirect(req.query.returnUrl).',
+    patterns: [
+        {
+            // Express: res.redirect with user query param
+            pattern: /res\s*\.\s*redirect\s*\(\s*(?:req|request)\s*\.\s*(?:query|body|params)\s*\.\s*\w+/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python/Flask: redirect with user input
+            pattern: /redirect\s*\(\s*(?:request\.|req\.)\s*(?:args|form|json|data)\s*(?:\[|\.get\s*\()/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: header('Location: ' . $_GET['...'])
+            pattern: /header\s*\(\s*['"`]\s*Location\s*:\s*['"`]\s*\.\s*\$_(?:GET|POST|REQUEST)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Java: response.sendRedirect with user request param
+            pattern: /response\s*\.\s*sendRedirect\s*\(\s*request\s*\.\s*getParameter\s*\(/gi,
+            snippetLines: 3,
+        },
+        {
+            // Ruby/Rails: redirect_to with params
+            pattern: /redirect_to\s+(?:params|request\.referer)\s*(?:\[|\.fetch)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Validate redirect URLs against a whitelist of allowed destinations.\n\n' +
+        '// Express — safe redirect:\n' +
+        'const ALLOWED_REDIRECT_HOSTS = ["myapp.com", "www.myapp.com"];\n\n' +
+        'function safeRedirect(res: Response, url: string, fallback = "/"): void {\n' +
+        '  try {\n' +
+        '    const parsed = new URL(url, "https://myapp.com");\n' +
+        '    if (ALLOWED_REDIRECT_HOSTS.includes(parsed.hostname)) {\n' +
+        '      res.redirect(parsed.toString());\n' +
+        '      return;\n' +
+        '    }\n' +
+        '  } catch { /* invalid URL */ }\n' +
+        '  res.redirect(fallback); // safe fallback\n' +
+        '}\n\n' +
+        '// Or: only allow relative redirects (safest):\n' +
+        'const returnUrl = req.query.returnUrl as string;\n' +
+        'if (returnUrl?.startsWith("/") && !returnUrl.startsWith("//")) {\n' +
+        '  res.redirect(returnUrl);\n' +
+        '} else {\n' +
+        '  res.redirect("/dashboard"); // fallback\n' +
+        '}',
+    references: [
+        'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/',
+        'https://cwe.mitre.org/data/definitions/601.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html',
+    ],
+    tags: ['open-redirect', 'url-validation', 'phishing', 'ssrf'],
+};
+//# sourceMappingURL=open-redirect.js.map

package/dist/rules/owasp-a10/open-redirect.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"open-redirect.js","sourceRoot":"","sources":["../../../src/rules/owasp-a10/open-redirect.ts"],"names":[],"mappings":"AAAA,sDAAsD;AACtD,mDAAmD;AAInD,MAAM,CAAC,MAAM,YAAY,GAAS;IAChC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,6CAA6C;IACnD,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,QAAQ;IAClB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC;IACxE,WAAW,EACT,oFAAoF;QACpF,gFAAgF;QAChF,qFAAqF;IACvF,QAAQ,EAAE;QACR;YACE,8CAA8C;YAC9C,OAAO,EACL,sFAAsF;YACxF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yCAAyC;YACzC,OAAO,EACL,qFAAqF;YACvF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,2CAA2C;YAC3C,OAAO,EACL,6EAA6E;YAC/E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,sDAAsD;YACtD,OAAO,EACL,wEAAwE;YAC1E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,sCAAsC;YACtC,OAAO,EACL,8DAA8D;YAChE,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,yEAAyE;QACzE,+BAA+B;QAC/B,oEAAoE;QACpE,6EAA6E;QAC7E,WAAW;QACX,yDAAyD;QACzD,+DAA+D;QAC/D,0CAA0C;QAC1C,iBAAiB;QACjB,SAAS;QACT,mCAAmC;QACnC,8CAA8C;QAC9C,OAAO;QACP,kDAAkD;QAClD,oDAAoD;QACpD,oEAAoE;QACpE,8BAA8B;QAC9B,YAAY;QACZ,6CAA6C;QAC7C,GAAG;IACL,UAAU,EAAE;QACV,0EAA0E;QAC1E,iDAAiD;QACjD,oGAAoG;KACrG;IACD,IAAI,EAAE,CAAC,eAAe,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,CAAC;CAC9D,CAAC"}

package/dist/rules/owasp-a10/unvalidated-fetch.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+import type { Rule } from '../../types/index.js';
+export declare const UnvalidatedFetch: Rule;
+//# sourceMappingURL=unvalidated-fetch.d.ts.map

package/dist/rules/owasp-a10/unvalidated-fetch.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"unvalidated-fetch.d.ts","sourceRoot":"","sources":["../../../src/rules/owasp-a10/unvalidated-fetch.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,sBAAsB,CAAC;AAEjD,eAAO,MAAM,gBAAgB,EAAE,IA2F9B,CAAC"}

package/dist/rules/owasp-a10/unvalidated-fetch.js ADDED Viewed

@@ -0,0 +1,85 @@
+// OWASP A10:2021 — Server-Side Request Forgery (SSRF)
+// Rule: Server fetches a URL from user-controlled input without validation
+export const UnvalidatedFetch = {
+    id: 'OWASP-A10-001',
+    name: 'Server-Side Request Forgery (SSRF) via Unvalidated URL',
+    owasp: 'A10:2021',
+    cwe: 'CWE-918',
+    severity: 'CRITICAL',
+    languages: ['javascript', 'typescript', 'python', 'php', 'java', 'go', 'ruby'],
+    description: 'Server makes HTTP/HTTPS requests to URLs derived from user input without validating ' +
+        'the URL. Attackers can redirect requests to internal services (AWS metadata endpoint, ' +
+        'Kubernetes API, Redis, internal DBs). A common AI mistake: webhook handlers and ' +
+        '"fetch URL" features that directly pass req.body.url to fetch().',
+    patterns: [
+        {
+            // fetch() with user input
+            pattern: /\bfetch\s*\(\s*(?:req|request)\s*\.\s*(?:body|params|query)\s*\.\s*\w+/gi,
+            snippetLines: 3,
+        },
+        {
+            // axios.get/post with user URL
+            pattern: /axios\s*\.\s*(?:get|post|put|patch|delete|request)\s*\(\s*(?:req|request)\s*\.\s*(?:body|params|query)\s*\.\s*\w+/gi,
+            snippetLines: 3,
+        },
+        {
+            // Node.js http/https.get with user URL
+            pattern: /(?:https?|http)\s*\.\s*(?:get|request)\s*\(\s*(?:req|request)\s*\.\s*(?:body|params|query)\s*\.\s*\w+/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python requests.get/post with user URL
+            pattern: /requests\s*\.\s*(?:get|post|put|patch|delete|head|request)\s*\(\s*(?:request\.|req\.)\s*(?:args|form|json|data)\s*(?:\[|\.\s*get)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Python urllib/httpx with user URL
+            pattern: /(?:urllib\.request\.urlopen|httpx\.(?:get|post|request))\s*\(\s*(?:request\.|req\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // PHP: curl_setopt with user URL
+            pattern: /curl_setopt\s*\([^,]+,\s*CURLOPT_URL\s*,\s*\$_(?:GET|POST|REQUEST)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Go: http.Get / http.Post with user URL
+            pattern: /http\s*\.\s*(?:Get|Post|Do)\s*\(\s*(?:r\.(?:URL\.Query|FormValue)|req\.)/gi,
+            snippetLines: 3,
+        },
+        {
+            // Template literal URL from user input in fetch
+            pattern: /fetch\s*\(\s*`[^`]*\$\{[^}]*(?:req\.|request\.)(?:body|params|query)/gi,
+            snippetLines: 3,
+        },
+    ],
+    fix: 'Validate URLs against an allowlist of trusted schemes, hosts, and ports.\n\n' +
+        '// Node.js — URL validation helper:\n' +
+        'const ALLOWED_HOSTS = ["api.trustedservice.com", "cdn.myapp.com"];\n\n' +
+        'function validateUrl(rawUrl: string): URL {\n' +
+        '  let url: URL;\n' +
+        '  try {\n' +
+        '    url = new URL(rawUrl);\n' +
+        '  } catch {\n' +
+        '    throw new Error("Invalid URL format");\n' +
+        '  }\n' +
+        '  // Only allow HTTPS\n' +
+        '  if (url.protocol !== "https:") throw new Error("Only HTTPS URLs allowed");\n' +
+        '  // Only allow trusted hosts\n' +
+        '  if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error("Host not in allowlist");\n' +
+        '  // Block private IP ranges and localhost\n' +
+        '  if (/^(127\\.|10\\.|172\\.(1[6-9]|2\\d|3[01])\\.|192\\.168\\.|::1|localhost)/i.test(url.hostname)) {\n' +
+        '    throw new Error("Private/loopback addresses not allowed");\n' +
+        '  }\n' +
+        '  return url;\n' +
+        '}\n\n' +
+        'const validatedUrl = validateUrl(req.body.webhookUrl);\n' +
+        'const response = await fetch(validatedUrl.toString());',
+    references: [
+        'https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/',
+        'https://cwe.mitre.org/data/definitions/918.html',
+        'https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html',
+    ],
+    tags: ['ssrf', 'request-forgery', 'url-validation', 'injection'],
+};
+//# sourceMappingURL=unvalidated-fetch.js.map

package/dist/rules/owasp-a10/unvalidated-fetch.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unvalidated-fetch.js","sourceRoot":"","sources":["../../../src/rules/owasp-a10/unvalidated-fetch.ts"],"names":[],"mappings":"AAAA,sDAAsD;AACtD,2EAA2E;AAI3E,MAAM,CAAC,MAAM,gBAAgB,GAAS;IACpC,EAAE,EAAE,eAAe;IACnB,IAAI,EAAE,wDAAwD;IAC9D,KAAK,EAAE,UAAU;IACjB,GAAG,EAAE,SAAS;IACd,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC;IAC9E,WAAW,EACT,sFAAsF;QACtF,wFAAwF;QACxF,kFAAkF;QAClF,kEAAkE;IACpE,QAAQ,EAAE;QACR;YACE,0BAA0B;YAC1B,OAAO,EACL,0EAA0E;YAC5E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,+BAA+B;YAC/B,OAAO,EACL,qHAAqH;YACvH,YAAY,EAAE,CAAC;SAChB;QACD;YACE,uCAAuC;YACvC,OAAO,EACL,yGAAyG;YAC3G,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yCAAyC;YACzC,OAAO,EACL,qIAAqI;YACvI,YAAY,EAAE,CAAC;SAChB;QACD;YACE,oCAAoC;YACpC,OAAO,EACL,uFAAuF;YACzF,YAAY,EAAE,CAAC;SAChB;QACD;YACE,iCAAiC;YACjC,OAAO,EACL,sEAAsE;YACxE,YAAY,EAAE,CAAC;SAChB;QACD;YACE,yCAAyC;YACzC,OAAO,EACL,4EAA4E;YAC9E,YAAY,EAAE,CAAC;SAChB;QACD;YACE,gDAAgD;YAChD,OAAO,EACL,wEAAwE;YAC1E,YAAY,EAAE,CAAC;SAChB;KACF;IACD,GAAG,EACD,8EAA8E;QAC9E,uCAAuC;QACvC,wEAAwE;QACxE,+CAA+C;QAC/C,mBAAmB;QACnB,WAAW;QACX,8BAA8B;QAC9B,eAAe;QACf,8CAA8C;QAC9C,OAAO;QACP,yBAAyB;QACzB,gFAAgF;QAChF,iCAAiC;QACjC,0FAA0F;QAC1F,8CAA8C;QAC9C,0GAA0G;QAC1G,kEAAkE;QAClE,OAAO;QACP,iBAAiB;QACjB,OAAO;QACP,0DAA0D;QAC1D,wDAAwD;IAC1D,UAAU,EAAE;QACV,0EAA0E;QAC1E,iDAAiD;QACjD,wGAAwG;KACzG;IACD,IAAI,EAAE,CAAC,MAAM,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,WAAW,CAAC;CACjE,CAAC"}

package/dist/rules/registry.d.ts ADDED Viewed

@@ -0,0 +1,20 @@
+import type { Rule, OWASPCategory, SupportedLanguage } from '../types/index.js';
+export declare class RuleRegistry {
+    private rules;
+    private _proRulesLoaded;
+    constructor(rules?: Rule[]);
+    /** Register additional rules (e.g., from @owaspscan/rules-pro) */
+    registerRules(rules: Rule[]): void;
+    get proRulesLoaded(): boolean;
+    get coreRuleCount(): number;
+    getAll(): Rule[];
+    getById(id: string): Rule | undefined;
+    getByCategory(category: OWASPCategory): Rule[];
+    getByLanguage(language: SupportedLanguage): Rule[];
+    filterByCategories(categoryPrefixes: string[]): Rule[];
+    size(): number;
+}
+/** Create a fresh registry, optionally with extra rules */
+export declare function createRegistry(extraRules?: Rule[]): RuleRegistry;
+export declare const registry: RuleRegistry;
+//# sourceMappingURL=registry.d.ts.map

package/dist/rules/registry.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/rules/registry.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,IAAI,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAyGhF,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAAoB;IACjC,OAAO,CAAC,eAAe,CAAS;gBAEpB,KAAK,GAAE,IAAI,EAAe;IAOtC,kEAAkE;IAClE,aAAa,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,IAAI;IAOlC,IAAI,cAAc,IAAI,OAAO,CAE5B;IAED,IAAI,aAAa,IAAI,MAAM,CAE1B;IAED,MAAM,IAAI,IAAI,EAAE;IAIhB,OAAO,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS;IAIrC,aAAa,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI,EAAE;IAI9C,aAAa,CAAC,QAAQ,EAAE,iBAAiB,GAAG,IAAI,EAAE;IAMlD,kBAAkB,CAAC,gBAAgB,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE;IAStD,IAAI,IAAI,MAAM;CAGf;AAED,2DAA2D;AAC3D,wBAAgB,cAAc,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,GAAG,YAAY,CAMhE;AAGD,eAAO,MAAM,QAAQ,cAAqB,CAAC"}