@vibecheckai/cli 3.4.0 → 3.5.0

package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js

@@ -1,6 +1,10 @@
 /**
  * Hardcoded Secrets Engine
- * Detects API keys, tokens, passwords, and private keys in code.
+ * Enhanced with:
+ * - Shannon entropy analysis for high-entropy string detection
+ * - More comprehensive secret patterns (50+ patterns)
+ * - Better false positive detection (env vars, comments, placeholders)
+ * - Context-aware detection
  */
 
 const { getAST, parseCode } = require("./ast-cache");
@@ -8,22 +12,118 @@ const traverse = require("@babel/traverse").default;
 const t = require("@babel/types");
 const { shouldExcludeFile, isTestContext, hasIgnoreDirective } = require("./file-filter");
 
+/**
+ * Calculate Shannon entropy of a string
+ * Higher entropy = more random = more likely to be a secret
+ */
+function calculateEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  
+  const len = str.length;
+  const frequencies = {};
+  
+  for (const char of str) {
+    frequencies[char] = (frequencies[char] || 0) + 1;
+  }
+  
+  let entropy = 0;
+  for (const count of Object.values(frequencies)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  
+  return entropy;
+}
+
+/**
+ * Entropy thresholds for secret detection
+ * Based on analysis of real secrets vs normal strings
+ */
+const ENTROPY_THRESHOLDS = {
+  HIGH: 4.5,      // Likely a secret (API keys, tokens)
+  MEDIUM: 3.5,    // Possibly a secret, needs context
+  LOW: 2.5,       // Unlikely to be a secret
+};
+
+/**
+ * Check if a string has high entropy (looks random)
+ */
+function hasHighEntropy(str, minLength = 16) {
+  if (!str || str.length < minLength) return false;
+  
+  const entropy = calculateEntropy(str);
+  const entropyPerChar = entropy; // Shannon entropy is already normalized
+  
+  // Longer strings should have proportionally higher entropy
+  const lengthFactor = Math.min(str.length / 32, 1.5);
+  const adjustedThreshold = ENTROPY_THRESHOLDS.HIGH / lengthFactor;
+  
+  return entropy >= adjustedThreshold;
+}
+
 // Enhanced patterns with more comprehensive detection
 const SECRET_PATTERNS = [
-  { name: "AWS Access Key", pattern: /AKIA[0-9A-Z]{16}/ },
-  { name: "AWS Secret Key", pattern: /[0-9a-zA-Z/+]{40}/ },
-  { name: "GitHub Token", pattern: /ghp_[0-9a-zA-Z]{36}/ },
-  { name: "GitLab Token", pattern: /glpat-[0-9a-zA-Z\-_]{20,}/ },
-  { name: "Slack Token", pattern: /xox[baprs]-[0-9a-zA-Z]{10,48}/ },
-  { name: "Stripe Key", pattern: /sk_(live|test)_[0-9a-zA-Z]{24,}/ },
-  { name: "Generic API Key", pattern: /[a-zA-Z0-9]{32,}/ },
-  { name: "JWT Token", pattern: /eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/ },
-  { name: "Private Key", pattern: /-----BEGIN (RSA |EC )?PRIVATE KEY-----/ },
-  { name: "Database URL", pattern: /(mongodb|postgresql|mysql):\/\/[^\\s]+/ },
-  { name: "Password", pattern: /(password|passwd|pwd)\s*[:=]\s*['"][^'"]+['"]/i },
-  { name: "Bearer Token", pattern: /Bearer\s+[a-zA-Z0-9\-_\.]+/i },
-  { name: "OAuth Token", pattern: /ya29\.[0-9A-Za-z\-_]+/ },
-  { name: "Twilio Key", pattern: /SK[0-9a-fA-F]{32}/ },
+  // Cloud Provider Keys
+  { name: "AWS Access Key ID", pattern: /AKIA[0-9A-Z]{16}/, severity: "BLOCK", confidence: "high" },
+  { name: "AWS Secret Access Key", pattern: /(?<![A-Za-z0-9/+])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=])/, severity: "BLOCK", confidence: "med", requiresEntropy: true },
+  { name: "AWS Session Token", pattern: /FwoGZXIvYXdzE/, severity: "BLOCK", confidence: "high" },
+  { name: "Google API Key", pattern: /AIza[0-9A-Za-z\-_]{35}/, severity: "BLOCK", confidence: "high" },
+  { name: "Google OAuth Token", pattern: /ya29\.[0-9A-Za-z\-_]+/, severity: "BLOCK", confidence: "high" },
+  { name: "Azure Storage Key", pattern: /(?:[A-Za-z0-9+/]{86}==)/, severity: "BLOCK", confidence: "med", requiresEntropy: true },
+  
+  // Version Control
+  { name: "GitHub Personal Access Token", pattern: /ghp_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
+  { name: "GitHub OAuth Token", pattern: /gho_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
+  { name: "GitHub App Token", pattern: /ghu_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
+  { name: "GitHub Refresh Token", pattern: /ghr_[0-9a-zA-Z]{36}/, severity: "BLOCK", confidence: "high" },
+  { name: "GitLab Token", pattern: /glpat-[0-9a-zA-Z\-_]{20,}/, severity: "BLOCK", confidence: "high" },
+  { name: "Bitbucket Token", pattern: /ATBB[0-9a-zA-Z]{32}/, severity: "BLOCK", confidence: "high" },
+  
+  // Payment Processors
+  { name: "Stripe Live Key", pattern: /sk_live_[0-9a-zA-Z]{24,}/, severity: "BLOCK", confidence: "high" },
+  { name: "Stripe Test Key", pattern: /sk_test_[0-9a-zA-Z]{24,}/, severity: "WARN", confidence: "high" },
+  { name: "Stripe Publishable Key", pattern: /pk_(live|test)_[0-9a-zA-Z]{24,}/, severity: "INFO", confidence: "high" },
+  { name: "PayPal Access Token", pattern: /access_token\$[a-zA-Z0-9]{16}\$[a-zA-Z0-9]{64}/, severity: "BLOCK", confidence: "high" },
+  { name: "Square Access Token", pattern: /sq0atp-[0-9A-Za-z\-_]{22}/, severity: "BLOCK", confidence: "high" },
+  
+  // Communication Services
+  { name: "Slack Bot Token", pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/, severity: "BLOCK", confidence: "high" },
+  { name: "Slack User Token", pattern: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/, severity: "BLOCK", confidence: "high" },
+  { name: "Slack Webhook URL", pattern: /hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/, severity: "BLOCK", confidence: "high" },
+  { name: "Twilio API Key", pattern: /SK[0-9a-fA-F]{32}/, severity: "BLOCK", confidence: "high" },
+  { name: "Twilio Auth Token", pattern: /(?<![a-zA-Z0-9])[a-f0-9]{32}(?![a-zA-Z0-9])/, severity: "WARN", confidence: "low", requiresContext: true },
+  { name: "SendGrid API Key", pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/, severity: "BLOCK", confidence: "high" },
+  { name: "Mailchimp API Key", pattern: /[a-f0-9]{32}-us[0-9]{1,2}/, severity: "BLOCK", confidence: "high" },
+  
+  // Database Connection Strings
+  { name: "MongoDB Connection String", pattern: /mongodb(\+srv)?:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
+  { name: "PostgreSQL Connection String", pattern: /postgres(ql)?:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
+  { name: "MySQL Connection String", pattern: /mysql:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
+  { name: "Redis Connection String", pattern: /redis(s)?:\/\/[^\s'"]+/, severity: "BLOCK", confidence: "high" },
+  
+  // Auth Tokens
+  { name: "JWT Token", pattern: /eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/, severity: "WARN", confidence: "high" },
+  { name: "Bearer Token", pattern: /Bearer\s+[a-zA-Z0-9\-_\.]{20,}/i, severity: "WARN", confidence: "med" },
+  
+  // Private Keys
+  { name: "RSA Private Key", pattern: /-----BEGIN RSA PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
+  { name: "EC Private Key", pattern: /-----BEGIN EC PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
+  { name: "Private Key", pattern: /-----BEGIN PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
+  { name: "OpenSSH Private Key", pattern: /-----BEGIN OPENSSH PRIVATE KEY-----/, severity: "BLOCK", confidence: "high" },
+  { name: "PGP Private Key", pattern: /-----BEGIN PGP PRIVATE KEY BLOCK-----/, severity: "BLOCK", confidence: "high" },
+  
+  // API Keys (Generic but with prefixes)
+  { name: "Heroku API Key", pattern: /[h|H]eroku.*[0-9A-F]{8}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{4}-[0-9A-F]{12}/, severity: "BLOCK", confidence: "high" },
+  { name: "NPM Token", pattern: /npm_[a-zA-Z0-9]{36}/, severity: "BLOCK", confidence: "high" },
+  { name: "PyPI Token", pattern: /pypi-[a-zA-Z0-9]{38,}/, severity: "BLOCK", confidence: "high" },
+  { name: "Docker Hub Token", pattern: /dckr_pat_[a-zA-Z0-9_-]{42,}/, severity: "BLOCK", confidence: "high" },
+  
+  // Credentials
+  { name: "Password Assignment", pattern: /(?:password|passwd|pwd|secret|credential)\s*[:=]\s*['"][^'"]{8,}['"]/i, severity: "WARN", confidence: "med", requiresContext: true },
+  { name: "Basic Auth", pattern: /Basic\s+[a-zA-Z0-9+/=]{20,}/, severity: "WARN", confidence: "med" },
+  
+  // High Entropy Generic (last resort)
+  { name: "High Entropy String", pattern: /[a-zA-Z0-9]{32,}/, severity: "INFO", confidence: "low", requiresEntropy: true },
 ];
 
 function getContext(code, start, length = 80) {
@@ -32,10 +132,14 @@ function getContext(code, start, length = 80) {
   return code.slice(contextStart, contextEnd).replace(/\n/g, " ").trim();
 }
 
-function isLikelyFalsePositive(value) {
-  // Exclude obvious placeholders
+/**
+ * Check if value matches common placeholder patterns
+ */
+function isPlaceholder(value) {
   const placeholders = [
     "YOUR_API_KEY",
+    "YOUR_SECRET",
+    "YOUR_TOKEN",
     "API_KEY_HERE",
     "REPLACE_ME",
     "CHANGE_ME",
@@ -43,15 +147,122 @@ function isLikelyFalsePositive(value) {
     "TODO",
     "EXAMPLE",
     "SAMPLE",
-    "TEST",
     "DUMMY",
+    "FAKE",
+    "MOCK",
+    "TEST_KEY",
+    "DEV_KEY",
+    "PLACEHOLDER",
+    "XXX",
+    "XXXXXXXX",
+    "12345",
+    "123456789",
+    "abcdef",
+    "0000000",
   ];
   const upper = String(value).toUpperCase();
-  return placeholders.some((p) => upper.includes(p));
+  return placeholders.some((p) => upper.includes(p)) ||
+         /^[0-9]+$/.test(value) || // All numbers
+         /^[a-z]+$/.test(value) || // All lowercase letters
+         /^[A-Z]+$/.test(value) || // All uppercase letters
+         /^(.)\1+$/.test(value);   // Repeated characters
+}
+
+/**
+ * Check if value is an environment variable reference
+ */
+function isEnvVarReference(value, code, position) {
+  // Direct env reference
+  if (/process\.env\./i.test(value)) return true;
+  if (/import\.meta\.env\./i.test(value)) return true;
+  
+  // Check surrounding code for env reference
+  const start = Math.max(0, position - 50);
+  const end = Math.min(code.length, position + value.length + 50);
+  const context = code.slice(start, end);
+  
+  return /process\.env\s*\[?\s*['"]/i.test(context) ||
+         /import\.meta\.env/i.test(context) ||
+         /getenv\s*\(/i.test(context);
+}
+
+/**
+ * Check if value is in a safe context
+ */
+function isInSafeContext(path, code) {
+  // Check if in a type annotation
+  const parent = path.parentPath;
+  if (parent?.isTypeAnnotation?.() || parent?.isTSTypeAnnotation?.()) {
+    return true;
+  }
+  
+  // Check if it's a key name (object property key)
+  if (parent?.isObjectProperty?.() && parent.node.key === path.node) {
+    return true;
+  }
+  
+  // Check if it's importing from a config/env file
+  const importParent = path.findParent(p => p.isImportDeclaration());
+  if (importParent) return true;
+  
+  // Check variable name for env/config indicators
+  if (parent?.isVariableDeclarator?.()) {
+    const varName = parent.node.id?.name || "";
+    if (/env|config|settings|options/i.test(varName)) {
+      return true;
+    }
+  }
+  
+  return false;
+}
+
+function isLikelyFalsePositive(value, path, code, position) {
+  // Basic placeholder check
+  if (isPlaceholder(value)) return true;
+  
+  // Environment variable reference
+  if (isEnvVarReference(value, code, position)) return true;
+  
+  // Check for common non-secret patterns
+  // URLs without credentials
+  if (/^https?:\/\/(?!.*:.*@)[^\s]+$/.test(value)) return true;
+  
+  // Common hash algorithms output
+  if (/^[a-f0-9]{32}$/.test(value) && /md5|hash/i.test(code.slice(Math.max(0, position - 100), position))) {
+    return true;
+  }
+  
+  // File paths
+  if (/^[./]|^[a-zA-Z]:\\/.test(value)) return true;
+  
+  // Base64 encoded common strings
+  const decoded = tryBase64Decode(value);
+  if (decoded && (isPlaceholder(decoded) || decoded.length < 8)) return true;
+  
+  // Skip if it's a safe context
+  if (path && isInSafeContext(path, code)) return true;
+  
+  return false;
+}
+
+/**
+ * Try to decode base64
+ */
+function tryBase64Decode(str) {
+  try {
+    if (!/^[A-Za-z0-9+/]+=*$/.test(str)) return null;
+    const decoded = Buffer.from(str, "base64").toString("utf8");
+    // Check if decoded is printable ASCII
+    if (/^[\x20-\x7E]+$/.test(decoded)) return decoded;
+    return null;
+  } catch {
+    return null;
+  }
 }
 
 function analyzeHardcodedSecrets(code, filePath) {
   const findings = [];
+  const foundSecrets = new Set(); // Avoid duplicate reports
 
   if (shouldExcludeFile(filePath)) return findings;
   if (isTestContext(code, filePath)) return findings;
@@ -62,69 +273,121 @@ function analyzeHardcodedSecrets(code, filePath) {
 
   const lines = code.split("\n");
 
+  function checkValue(value, path, position) {
+    if (!value || value.length < 12) return;
+    if (isLikelyFalsePositive(value, path, code, position)) return;
+    
+    // Create a unique key to avoid duplicates
+    const valueKey = `${position}:${value.substring(0, 20)}`;
+    if (foundSecrets.has(valueKey)) return;
+
+    for (const secretPattern of SECRET_PATTERNS) {
+      const match = value.match(secretPattern.pattern);
+      if (!match) continue;
+      
+      // For patterns that require high entropy, verify
+      if (secretPattern.requiresEntropy) {
+        const matchedValue = match[0];
+        if (!hasHighEntropy(matchedValue)) continue;
+      }
+      
+      // For patterns requiring context, check variable names
+      if (secretPattern.requiresContext) {
+        const context = getContext(code, position, 100);
+        const hasSecretContext = /(?:api_?key|secret|token|password|credential|auth)/i.test(context);
+        if (!hasSecretContext) continue;
+      }
+
+      const loc = path.node.loc?.start;
+      if (!loc) continue;
+
+      const line = loc.line;
+      const contextStr = getContext(code, position);
+      
+      // Mask the actual secret value in output
+      const maskedValue = maskSecret(match[0]);
+      
+      foundSecrets.add(valueKey);
+
+      findings.push({
+        type: "hardcoded_secret",
+        severity: secretPattern.severity || "BLOCK",
+        category: "Security",
+        file: filePath,
+        line,
+        column: loc.column,
+        title: `Hardcoded ${secretPattern.name} detected`,
+        message: `Found potential ${secretPattern.name} in code. Move to environment variables or secret manager.`,
+        codeSnippet: lines[line - 1]?.trim(),
+        evidence: `Detected pattern: ${maskedValue}`,
+        confidence: secretPattern.confidence || "high",
+        fixHint: `Replace with process.env.${suggestEnvVarName(secretPattern.name)}`,
+      });
+      
+      // Only report the first matching pattern per value
+      break;
+    }
+  }
+
   // Check string literals for secrets
   traverse(ast, {
     StringLiteral(path) {
       const value = path.node.value;
-      if (!value || value.length < 12) return;
-      if (isLikelyFalsePositive(value)) return;
-
-      for (const secretPattern of SECRET_PATTERNS) {
-        const match = value.match(secretPattern.pattern);
-        if (!match) continue;
-
-        const loc = path.node.loc?.start;
-        if (!loc) continue;
-
-        const line = loc.line;
-        const context = getContext(code, path.node.start || 0);
-
-        findings.push({
-          type: "hardcoded_secret",
-          severity: "BLOCK",
-          category: "Security",
-          file: filePath,
-          line,
-          column: loc.column,
-          title: `Hardcoded ${secretPattern.name} detected`,
-          message: `Found potential ${secretPattern.name} in string literal. Move to environment variables or secret manager.`,
-          codeSnippet: lines[line - 1]?.trim(),
-          evidence: context,
-          confidence: secretPattern.name === "Generic API Key" ? "low" : "high",
-        });
-      }
+      const position = path.node.start || 0;
+      checkValue(value, path, position);
     },
 
     TemplateLiteral(path) {
-      // Template literals may contain secrets in raw strings (rare), but catch if a quasi looks like a token.
+      // Template literals may contain secrets in raw strings
       for (const quasi of path.node.quasis || []) {
         const value = quasi.value?.cooked || "";
-        if (!value || value.length < 12) continue;
-        if (isLikelyFalsePositive(value)) continue;
-
-        for (const secretPattern of SECRET_PATTERNS) {
-          const match = value.match(secretPattern.pattern);
-          if (!match) continue;
-
-          const loc = quasi.loc?.start || path.node.loc?.start;
-          if (!loc) continue;
-
-          const line = loc.line;
-          const context = getContext(code, quasi.start || path.node.start || 0);
-
-          findings.push({
-            type: "hardcoded_secret",
-            severity: "BLOCK",
-            category: "Security",
-            file: filePath,
-            line,
-            column: loc.column,
-            title: `Hardcoded ${secretPattern.name} detected`,
-            message: `Found potential ${secretPattern.name} in template literal. Move to environment variables or secret manager.`,
-            codeSnippet: lines[line - 1]?.trim(),
-            evidence: context,
-            confidence: secretPattern.name === "Generic API Key" ? "low" : "high",
-          });
+        const position = quasi.start || path.node.start || 0;
+        checkValue(value, { node: quasi, parentPath: path }, position);
+      }
+    },
+    
+    // Also check object property values with secret-looking keys
+    ObjectProperty(path) {
+      const key = path.node.key;
+      const value = path.node.value;
+      
+      // Check if key suggests a secret
+      let keyName = "";
+      if (t.isIdentifier(key)) {
+        keyName = key.name;
+      } else if (t.isStringLiteral(key)) {
+        keyName = key.value;
+      }
+      
+      const isSecretKey = /(?:api_?key|secret|token|password|credential|auth_?token|private_?key)/i.test(keyName);
+      
+      if (isSecretKey && t.isStringLiteral(value)) {
+        const strValue = value.value;
+        if (strValue && strValue.length >= 8 && !isPlaceholder(strValue)) {
+          const position = value.start || 0;
+          
+          // Check entropy for generic values
+          if (hasHighEntropy(strValue, 8)) {
+            const loc = value.loc?.start;
+            if (loc && !foundSecrets.has(`${position}:${strValue.substring(0, 20)}`)) {
+              foundSecrets.add(`${position}:${strValue.substring(0, 20)}`);
+              
+              findings.push({
+                type: "hardcoded_secret",
+                severity: "WARN",
+                category: "Security",
+                file: filePath,
+                line: loc.line,
+                column: loc.column,
+                title: `Potential secret in '${keyName}' property`,
+                message: `High-entropy value in secret-looking property '${keyName}'. Consider using environment variables.`,
+                codeSnippet: lines[loc.line - 1]?.trim(),
+                evidence: `Property: ${keyName} = ${maskSecret(strValue)}`,
+                confidence: "med",
+                fixHint: `Replace with process.env.${keyName.toUpperCase()}`,
+              });
+            }
+          }
         }
       }
     },
@@ -133,7 +396,44 @@ function analyzeHardcodedSecrets(code, filePath) {
   return findings;
 }
 
+/**
+ * Mask a secret value for safe display
+ */
+function maskSecret(value) {
+  if (!value || value.length < 8) return "***";
+  
+  const visibleStart = Math.min(4, Math.floor(value.length / 4));
+  const visibleEnd = Math.min(4, Math.floor(value.length / 4));
+  
+  return value.substring(0, visibleStart) + 
+         "*".repeat(Math.max(4, value.length - visibleStart - visibleEnd)) + 
+         value.substring(value.length - visibleEnd);
+}
+
+/**
+ * Suggest an environment variable name
+ */
+function suggestEnvVarName(secretType) {
+  const mapping = {
+    "AWS Access Key ID": "AWS_ACCESS_KEY_ID",
+    "AWS Secret Access Key": "AWS_SECRET_ACCESS_KEY",
+    "GitHub Personal Access Token": "GITHUB_TOKEN",
+    "Stripe Live Key": "STRIPE_SECRET_KEY",
+    "Stripe Test Key": "STRIPE_TEST_KEY",
+    "Database URL": "DATABASE_URL",
+    "MongoDB Connection String": "MONGODB_URI",
+    "PostgreSQL Connection String": "DATABASE_URL",
+    "JWT Token": "JWT_SECRET",
+    "Slack Bot Token": "SLACK_BOT_TOKEN",
+    "SendGrid API Key": "SENDGRID_API_KEY",
+  };
+  
+  return mapping[secretType] || secretType.toUpperCase().replace(/\s+/g, "_");
+}
+
 module.exports = {
   analyzeHardcodedSecrets,
+  calculateEntropy,
+  hasHighEntropy,
   parseCode,
 };