@vibecheckai/cli 3.3.0 → 3.5.0

package/bin/runners/lib/engines/security-vulnerabilities-engine.js

@@ -1,6 +1,11 @@
 /**
  * Security Vulnerabilities Detection Engine
  * Detects SQL injection, XSS, command injection, path traversal, and other security issues
+ * Enhanced with smart detection to reduce false positives:
+ * - Detects parameterized queries (prepared statements)
+ * - Detects sanitization libraries (DOMPurify, xss, sanitize-html)
+ * - Detects path validation (path.resolve, path.normalize)
+ * - Framework-specific patterns (Prisma, Drizzle, Knex, TypeORM)
  */
 
 const { getAST } = require("./ast-cache");
@@ -8,6 +13,138 @@ const traverse = require("@babel/traverse").default;
 const t = require("@babel/types");
 const { shouldExcludeFile } = require("./file-filter");
 
+/**
+ * Safe ORM/Query Builder patterns that use parameterized queries by default
+ */
+const SAFE_ORM_PATTERNS = [
+  // Prisma
+  /prisma\.\w+\.(?:findUnique|findFirst|findMany|create|update|delete|upsert)/i,
+  /prisma\.\$queryRaw`/i, // Tagged template = safe
+  /prisma\.\$executeRaw`/i,
+  // Drizzle
+  /db\.select\(\)|db\.insert\(\)|db\.update\(\)|db\.delete\(\)/i,
+  // TypeORM
+  /\.createQueryBuilder\(\)/i,
+  /getRepository\(\)\.find/i,
+  // Knex
+  /knex\(\s*['"]?\w+['"]?\s*\)\.where/i,
+  /knex\.raw\(\s*['"][^'"]+['"]\s*,\s*\[/i, // knex.raw with params array
+  // Sequelize
+  /\.findAll\(|\.findOne\(|\.create\(|\.update\(/i,
+  // MongoDB/Mongoose
+  /\.find\(\{|\.findOne\(\{|\.aggregate\(\[/i,
+];
+
+/**
+ * Check if a line uses a safe ORM pattern
+ */
+function usesSafeORM(line, surroundingLines) {
+  const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
+  return SAFE_ORM_PATTERNS.some(pattern => pattern.test(context));
+}
+
+/**
+ * Sanitization library patterns
+ */
+const SANITIZATION_PATTERNS = [
+  // DOMPurify
+  /DOMPurify\.sanitize\(/i,
+  /purify\.sanitize\(/i,
+  // xss library
+  /\bxss\s*\(/i,
+  /filterXSS\(/i,
+  // sanitize-html
+  /sanitizeHtml\(/i,
+  /sanitize\(/i,
+  // escape-html
+  /escapeHtml\(/i,
+  /escape\(/i,
+  // React's built-in escaping (JSX)
+  /dangerouslySetInnerHTML/i, // When this is NOT present, React escapes by default
+  // encode-html-entities
+  /htmlEncode\(/i,
+  /encodeHTML\(/i,
+];
+
+/**
+ * Check if content is sanitized before use
+ */
+function isSanitized(line, surroundingLines) {
+  const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
+  return SANITIZATION_PATTERNS.some(pattern => pattern.test(context));
+}
+
+/**
+ * Path validation patterns
+ */
+const PATH_VALIDATION_PATTERNS = [
+  // path.resolve normalizes and makes absolute
+  /path\.resolve\(/i,
+  // path.normalize removes .. traversals
+  /path\.normalize\(/i,
+  // path.join with validation
+  /path\.join\(\s*__dirname/i,
+  /path\.join\(\s*process\.cwd\(\)/i,
+  // Common validation patterns
+  /\.startsWith\(\s*(?:baseDir|rootDir|allowedPath|safeDir)/i,
+  /\.includes\(\s*['"]\.\.["']\s*\)/i, // Manual check for ..
+  /!.*\.includes\(\s*['"]\.\.["']\s*\)/i, // Negated check
+];
+
+/**
+ * Check if path is validated/sanitized
+ */
+function isPathValidated(line, surroundingLines) {
+  const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
+  return PATH_VALIDATION_PATTERNS.some(pattern => pattern.test(context));
+}
+
+/**
+ * Check if SQL query uses parameterized placeholders
+ */
+function usesParameterizedQuery(args, code) {
+  if (!args || args.length === 0) return false;
+  
+  const firstArg = args[0];
+  
+  // Check for placeholder patterns in the query string
+  if (t.isStringLiteral(firstArg)) {
+    const query = firstArg.value;
+    // PostgreSQL: $1, $2, etc.
+    if (/\$\d+/.test(query)) return true;
+    // MySQL: ?, ?? placeholders
+    if (/\?/.test(query)) return true;
+    // Named parameters: :name, @name
+    if (/[:@]\w+/.test(query)) return true;
+  }
+  
+  // Check for tagged template literals (safe by default in most ORMs)
+  if (t.isTaggedTemplateExpression(args[0])) {
+    return true;
+  }
+  
+  // Check if there's a second argument that's an array (params)
+  if (args.length >= 2 && t.isArrayExpression(args[1])) {
+    return true;
+  }
+  
+  // Check if second argument is an object (named params)
+  if (args.length >= 2 && t.isObjectExpression(args[1])) {
+    return true;
+  }
+  
+  return false;
+}
+
+/**
+ * Get surrounding lines for context analysis
+ */
+function getSurroundingLines(lines, lineIndex, range = 3) {
+  const start = Math.max(0, lineIndex - range);
+  const end = Math.min(lines.length, lineIndex + range + 1);
+  return lines.slice(start, end);
+}
+
 /**
  * Analyze a file for security vulnerabilities
  */
@@ -22,7 +159,7 @@ function analyzeSecurityVulnerabilities(code, filePath) {
 
   const lines = code.split("\n");
 
-  // SQL Injection patterns
+  // SQL Injection patterns - Enhanced with ORM/parameterization detection
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
@@ -34,24 +171,44 @@ function analyzeSecurityVulnerabilities(code, filePath) {
         
         // Database query methods
         if (t.isIdentifier(prop) && 
-            ["query", "execute", "exec", "run"].includes(prop.name)) {
+            ["query", "execute", "exec", "run", "raw"].includes(prop.name)) {
+          
+          const lineNum = node.loc.start.line;
+          const lineContent = lines[lineNum - 1] || "";
+          const surroundingLines = getSurroundingLines(lines, lineNum - 1);
+          
+          // Skip if using safe ORM patterns
+          if (usesSafeORM(lineContent, surroundingLines)) {
+            return;
+          }
+          
+          // Skip if using parameterized queries
+          if (usesParameterizedQuery(node.arguments, code)) {
+            return;
+          }
           
           // Check if arguments contain template literals or string concatenation
           for (const arg of node.arguments) {
             if (t.isTemplateLiteral(arg) || 
                 (t.isBinaryExpression(arg) && arg.operator === "+")) {
-              const line = node.loc.start.line;
+              
+              // Double-check it's not a tagged template (safe)
+              if (t.isTaggedTemplateExpression(arg)) {
+                continue;
+              }
+              
               findings.push({
                 type: "sql_injection",
                 severity: "BLOCK",
                 category: "Security",
                 file: filePath,
-                line,
+                line: lineNum,
                 column: node.loc.start.column,
                 title: "Potential SQL injection vulnerability",
-                message: "SQL query constructed with user input without parameterization",
-                codeSnippet: lines[line - 1]?.trim(),
+                message: "SQL query constructed with string interpolation. Use parameterized queries instead.",
+                codeSnippet: lineContent.trim(),
                 confidence: "high",
+                fixHint: "Use parameterized queries: query('SELECT * FROM users WHERE id = $1', [userId])",
               });
               break;
             }
@@ -61,7 +218,7 @@ function analyzeSecurityVulnerabilities(code, filePath) {
     },
   });
 
-  // XSS vulnerabilities
+  // XSS vulnerabilities - Enhanced with sanitization detection
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
@@ -74,21 +231,38 @@ function analyzeSecurityVulnerabilities(code, filePath) {
         if (t.isIdentifier(prop) && 
             ["innerHTML", "outerHTML", "insertAdjacentHTML"].includes(prop.name)) {
           
+          const lineNum = node.loc.start.line;
+          const lineContent = lines[lineNum - 1] || "";
+          const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
+          
+          // Skip if content is sanitized
+          if (isSanitized(lineContent, surroundingLines)) {
+            return;
+          }
+          
           // Check if argument comes from user input or URL params
           for (const arg of node.arguments) {
             if (t.isIdentifier(arg) || t.isMemberExpression(arg)) {
-              const line = node.loc.start.line;
+              // Check if the argument itself is a sanitize call
+              if (t.isCallExpression(arg)) {
+                const argCode = code.substring(arg.start, arg.end);
+                if (SANITIZATION_PATTERNS.some(p => p.test(argCode))) {
+                  continue;
+                }
+              }
+              
               findings.push({
                 type: "xss",
                 severity: "BLOCK",
                 category: "Security",
                 file: filePath,
-                line,
+                line: lineNum,
                 column: node.loc.start.column,
                 title: "Potential XSS vulnerability",
-                message: `Using ${prop.name} with potentially unsafe content`,
-                codeSnippet: lines[line - 1]?.trim(),
+                message: `Using ${prop.name} with potentially unsafe content. Sanitize before rendering.`,
+                codeSnippet: lineContent.trim(),
                 confidence: "med",
+                fixHint: "Use DOMPurify.sanitize(content) or sanitize-html before setting innerHTML",
               });
               break;
             }
@@ -97,75 +271,229 @@ function analyzeSecurityVulnerabilities(code, filePath) {
       }
     },
   });
+  
+  // Also check for dangerouslySetInnerHTML in React
+  traverse(ast, {
+    JSXAttribute(path) {
+      const node = path.node;
+      
+      if (t.isJSXIdentifier(node.name, { name: "dangerouslySetInnerHTML" })) {
+        const lineNum = node.loc.start.line;
+        const lineContent = lines[lineNum - 1] || "";
+        const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
+        
+        // Skip if content is sanitized
+        if (isSanitized(lineContent, surroundingLines)) {
+          return;
+        }
+        
+        findings.push({
+          type: "xss",
+          severity: "WARN",
+          category: "Security",
+          file: filePath,
+          line: lineNum,
+          column: node.loc.start.column,
+          title: "Potential XSS via dangerouslySetInnerHTML",
+          message: "Using dangerouslySetInnerHTML without visible sanitization",
+          codeSnippet: lineContent.trim(),
+          confidence: "med",
+          fixHint: "Sanitize content with DOMPurify.sanitize() before rendering",
+        });
+      }
+    },
+  });
 
-  // Command injection
+  // Command injection - Enhanced with shell escape detection
+  const SHELL_ESCAPE_PATTERNS = [
+    /shellEscape\(/i,
+    /escapeShell\(/i,
+    /shell-escape/i,
+    /shellescape/i,
+    /quote\(/i, // shell-quote
+  ];
+  
+  function isShellEscaped(line, surroundingLines) {
+    const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
+    return SHELL_ESCAPE_PATTERNS.some(pattern => pattern.test(context));
+  }
+  
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
       
       // Dangerous command execution methods
+      let methodName = null;
+      
       if (t.isIdentifier(node.callee)) {
-        const dangerousMethods = ["exec", "spawn", "execSync", "spawnSync"];
+        methodName = node.callee.name;
+      } else if (t.isMemberExpression(node.callee) && t.isIdentifier(node.callee.property)) {
+        methodName = node.callee.property.name;
+      }
+      
+      const dangerousMethods = ["exec", "spawn", "execSync", "spawnSync", "execFile", "execFileSync"];
+      
+      if (methodName && dangerousMethods.includes(methodName)) {
+        const lineNum = node.loc.start.line;
+        const lineContent = lines[lineNum - 1] || "";
+        const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
         
-        if (dangerousMethods.includes(node.callee.name)) {
-          // Check if arguments contain user input
-          for (const arg of node.arguments) {
-            if (t.isTemplateLiteral(arg) || 
-                (t.isBinaryExpression(arg) && arg.operator === "+")) {
-              const line = node.loc.start.line;
-              findings.push({
-                type: "command_injection",
-                severity: "BLOCK",
-                category: "Security",
-                file: filePath,
-                line,
-                column: node.loc.start.column,
-                title: "Potential command injection vulnerability",
-                message: "Command execution with potentially unsafe user input",
-                codeSnippet: lines[line - 1]?.trim(),
-                confidence: "high",
-              });
-              break;
-            }
+        // Skip if shell-escaped
+        if (isShellEscaped(lineContent, surroundingLines)) {
+          return;
+        }
+        
+        // Check if arguments contain user input
+        for (const arg of node.arguments) {
+          if (t.isTemplateLiteral(arg) || 
+              (t.isBinaryExpression(arg) && arg.operator === "+")) {
+            findings.push({
+              type: "command_injection",
+              severity: "BLOCK",
+              category: "Security",
+              file: filePath,
+              line: lineNum,
+              column: node.loc.start.column,
+              title: "Potential command injection vulnerability",
+              message: "Command execution with string interpolation. Use array args or shell-escape.",
+              codeSnippet: lineContent.trim(),
+              confidence: "high",
+              fixHint: "Use spawn with array arguments: spawn('cmd', [arg1, arg2]) instead of shell strings",
+            });
+            break;
           }
         }
       }
     },
   });
 
-  // Path traversal
+  // SSRF (Server-Side Request Forgery) detection
+  traverse(ast, {
+    CallExpression(path) {
+      const node = path.node;
+      
+      // Check for fetch, axios, http.request with dynamic URLs
+      let isHttpCall = false;
+      let methodName = "";
+      
+      if (t.isIdentifier(node.callee)) {
+        isHttpCall = ["fetch", "axios", "request", "got", "superagent"].includes(node.callee.name);
+        methodName = node.callee.name;
+      } else if (t.isMemberExpression(node.callee)) {
+        const prop = node.callee.property;
+        if (t.isIdentifier(prop)) {
+          isHttpCall = ["get", "post", "put", "delete", "request", "fetch"].includes(prop.name);
+          methodName = prop.name;
+        }
+      }
+      
+      if (isHttpCall && node.arguments.length > 0) {
+        const urlArg = node.arguments[0];
+        
+        // Check if URL contains user input
+        if (t.isTemplateLiteral(urlArg) && urlArg.expressions && urlArg.expressions.length > 0) {
+          const lineNum = node.loc.start.line;
+          const lineContent = lines[lineNum - 1] || "";
+          const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
+          
+          // Check for URL validation patterns
+          const urlValidationPatterns = [
+            /new URL\(/i,
+            /url\.parse\(/i,
+            /isValidUrl\(/i,
+            /validateUrl\(/i,
+            /allowedHosts/i,
+            /whitelist/i,
+          ];
+          
+          const hasUrlValidation = urlValidationPatterns.some(p => 
+            p.test(lineContent) || p.test(surroundingLines.join('\n'))
+          );
+          
+          if (!hasUrlValidation) {
+            findings.push({
+              type: "ssrf",
+              severity: "WARN",
+              category: "Security",
+              file: filePath,
+              line: lineNum,
+              column: node.loc.start.column,
+              title: "Potential SSRF vulnerability",
+              message: "HTTP request with user-controlled URL without visible validation",
+              codeSnippet: lineContent.trim(),
+              confidence: "med",
+              fixHint: "Validate URLs against an allowlist of hosts before making requests",
+            });
+          }
+        }
+      }
+    },
+  });
+
+  // Path traversal - Enhanced with path validation detection
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
       
       // File system operations
-      if (t.isMemberExpression(node.callee) && 
-          t.isIdentifier(node.callee.object, { name: "fs" })) {
+      if (t.isMemberExpression(node.callee)) {
+        const obj = node.callee.object;
         const prop = node.callee.property;
         
-        if (t.isIdentifier(prop) && 
-            ["readFile", "writeFile", "readFileSync", "writeFileSync", "unlink"].includes(prop.name)) {
+        // Check for fs.* or fs/promises methods
+        const isFsCall = t.isIdentifier(obj, { name: "fs" }) || 
+                         t.isIdentifier(obj, { name: "fsp" }) ||
+                         t.isIdentifier(obj, { name: "fsPromises" });
+        
+        if (isFsCall && t.isIdentifier(prop) && 
+            ["readFile", "writeFile", "readFileSync", "writeFileSync", "unlink", 
+             "unlinkSync", "access", "accessSync", "stat", "statSync",
+             "readdir", "readdirSync", "mkdir", "mkdirSync"].includes(prop.name)) {
+          
+          const lineNum = node.loc.start.line;
+          const lineContent = lines[lineNum - 1] || "";
+          const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
+          
+          // Skip if path is validated/sanitized
+          if (isPathValidated(lineContent, surroundingLines)) {
+            return;
+          }
           
           // Check if path contains user input or "../"
           for (const arg of node.arguments) {
+            let hasTraversal = false;
+            let hasUserInput = false;
+            
             if (t.isTemplateLiteral(arg)) {
               const template = code.substring(arg.start, arg.end);
-              if (template.includes("../") || template.includes("..\\")) {
-                const line = node.loc.start.line;
-                findings.push({
-                  type: "path_traversal",
-                  severity: "BLOCK",
-                  category: "Security",
-                  file: filePath,
-                  line,
-                  column: node.loc.start.column,
-                  title: "Potential path traversal vulnerability",
-                  message: "File operation with path containing '..' - validate and sanitize paths",
-                  codeSnippet: lines[line - 1]?.trim(),
-                  confidence: "high",
-                });
-                break;
-              }
+              hasTraversal = template.includes("../") || template.includes("..\\");
+              hasUserInput = arg.expressions && arg.expressions.length > 0;
+            } else if (t.isBinaryExpression(arg) && arg.operator === "+") {
+              // String concatenation with user input
+              hasUserInput = true;
+            } else if (t.isIdentifier(arg)) {
+              // Variable path - check if it looks like user input
+              const varName = arg.name.toLowerCase();
+              hasUserInput = /path|file|dir|folder|name|input|param|query|body|req/i.test(varName);
+            }
+            
+            if (hasTraversal || hasUserInput) {
+              findings.push({
+                type: "path_traversal",
+                severity: hasTraversal ? "BLOCK" : "WARN",
+                category: "Security",
+                file: filePath,
+                line: lineNum,
+                column: node.loc.start.column,
+                title: "Potential path traversal vulnerability",
+                message: hasTraversal 
+                  ? "File operation with path containing '..' - validate and sanitize paths"
+                  : "File operation with potentially user-controlled path - validate before use",
+                codeSnippet: lineContent.trim(),
+                confidence: hasTraversal ? "high" : "med",
+                fixHint: "Use path.resolve() with a base directory and validate the result starts with the expected prefix",
+              });
+              break;
             }
           }
         }