@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/security-vulnerabilities-engine.js

@@ -1,11 +1,6 @@
 /**
  * Security Vulnerabilities Detection Engine
  * Detects SQL injection, XSS, command injection, path traversal, and other security issues
- * Enhanced with smart detection to reduce false positives:
- * - Detects parameterized queries (prepared statements)
- * - Detects sanitization libraries (DOMPurify, xss, sanitize-html)
- * - Detects path validation (path.resolve, path.normalize)
- * - Framework-specific patterns (Prisma, Drizzle, Knex, TypeORM)
  */
 
 const { getAST } = require("./ast-cache");
@@ -13,138 +8,6 @@ const traverse = require("@babel/traverse").default;
 const t = require("@babel/types");
 const { shouldExcludeFile } = require("./file-filter");
 
-/**
- * Safe ORM/Query Builder patterns that use parameterized queries by default
- */
-const SAFE_ORM_PATTERNS = [
-  // Prisma
-  /prisma\.\w+\.(?:findUnique|findFirst|findMany|create|update|delete|upsert)/i,
-  /prisma\.\$queryRaw`/i, // Tagged template = safe
-  /prisma\.\$executeRaw`/i,
-  // Drizzle
-  /db\.select\(\)|db\.insert\(\)|db\.update\(\)|db\.delete\(\)/i,
-  // TypeORM
-  /\.createQueryBuilder\(\)/i,
-  /getRepository\(\)\.find/i,
-  // Knex
-  /knex\(\s*['"]?\w+['"]?\s*\)\.where/i,
-  /knex\.raw\(\s*['"][^'"]+['"]\s*,\s*\[/i, // knex.raw with params array
-  // Sequelize
-  /\.findAll\(|\.findOne\(|\.create\(|\.update\(/i,
-  // MongoDB/Mongoose
-  /\.find\(\{|\.findOne\(\{|\.aggregate\(\[/i,
-];
-
-/**
- * Check if a line uses a safe ORM pattern
- */
-function usesSafeORM(line, surroundingLines) {
-  const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
-  return SAFE_ORM_PATTERNS.some(pattern => pattern.test(context));
-}
-
-/**
- * Sanitization library patterns
- */
-const SANITIZATION_PATTERNS = [
-  // DOMPurify
-  /DOMPurify\.sanitize\(/i,
-  /purify\.sanitize\(/i,
-  // xss library
-  /\bxss\s*\(/i,
-  /filterXSS\(/i,
-  // sanitize-html
-  /sanitizeHtml\(/i,
-  /sanitize\(/i,
-  // escape-html
-  /escapeHtml\(/i,
-  /escape\(/i,
-  // React's built-in escaping (JSX)
-  /dangerouslySetInnerHTML/i, // When this is NOT present, React escapes by default
-  // encode-html-entities
-  /htmlEncode\(/i,
-  /encodeHTML\(/i,
-];
-
-/**
- * Check if content is sanitized before use
- */
-function isSanitized(line, surroundingLines) {
-  const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
-  return SANITIZATION_PATTERNS.some(pattern => pattern.test(context));
-}
-
-/**
- * Path validation patterns
- */
-const PATH_VALIDATION_PATTERNS = [
-  // path.resolve normalizes and makes absolute
-  /path\.resolve\(/i,
-  // path.normalize removes .. traversals
-  /path\.normalize\(/i,
-  // path.join with validation
-  /path\.join\(\s*__dirname/i,
-  /path\.join\(\s*process\.cwd\(\)/i,
-  // Common validation patterns
-  /\.startsWith\(\s*(?:baseDir|rootDir|allowedPath|safeDir)/i,
-  /\.includes\(\s*['"]\.\.["']\s*\)/i, // Manual check for ..
-  /!.*\.includes\(\s*['"]\.\.["']\s*\)/i, // Negated check
-];
-
-/**
- * Check if path is validated/sanitized
- */
-function isPathValidated(line, surroundingLines) {
-  const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
-  return PATH_VALIDATION_PATTERNS.some(pattern => pattern.test(context));
-}
-
-/**
- * Check if SQL query uses parameterized placeholders
- */
-function usesParameterizedQuery(args, code) {
-  if (!args || args.length === 0) return false;
-  
-  const firstArg = args[0];
-  
-  // Check for placeholder patterns in the query string
-  if (t.isStringLiteral(firstArg)) {
-    const query = firstArg.value;
-    // PostgreSQL: $1, $2, etc.
-    if (/\$\d+/.test(query)) return true;
-    // MySQL: ?, ?? placeholders
-    if (/\?/.test(query)) return true;
-    // Named parameters: :name, @name
-    if (/[:@]\w+/.test(query)) return true;
-  }
-  
-  // Check for tagged template literals (safe by default in most ORMs)
-  if (t.isTaggedTemplateExpression(args[0])) {
-    return true;
-  }
-  
-  // Check if there's a second argument that's an array (params)
-  if (args.length >= 2 && t.isArrayExpression(args[1])) {
-    return true;
-  }
-  
-  // Check if second argument is an object (named params)
-  if (args.length >= 2 && t.isObjectExpression(args[1])) {
-    return true;
-  }
-  
-  return false;
-}
-
-/**
- * Get surrounding lines for context analysis
- */
-function getSurroundingLines(lines, lineIndex, range = 3) {
-  const start = Math.max(0, lineIndex - range);
-  const end = Math.min(lines.length, lineIndex + range + 1);
-  return lines.slice(start, end);
-}
-
 /**
  * Analyze a file for security vulnerabilities
  */
@@ -159,7 +22,7 @@ function analyzeSecurityVulnerabilities(code, filePath) {
 
   const lines = code.split("\n");
 
-  // SQL Injection patterns - Enhanced with ORM/parameterization detection
+  // SQL Injection patterns
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
@@ -171,44 +34,24 @@ function analyzeSecurityVulnerabilities(code, filePath) {
         
         // Database query methods
         if (t.isIdentifier(prop) && 
-            ["query", "execute", "exec", "run", "raw"].includes(prop.name)) {
-          
-          const lineNum = node.loc.start.line;
-          const lineContent = lines[lineNum - 1] || "";
-          const surroundingLines = getSurroundingLines(lines, lineNum - 1);
-          
-          // Skip if using safe ORM patterns
-          if (usesSafeORM(lineContent, surroundingLines)) {
-            return;
-          }
-          
-          // Skip if using parameterized queries
-          if (usesParameterizedQuery(node.arguments, code)) {
-            return;
-          }
+            ["query", "execute", "exec", "run"].includes(prop.name)) {
           
           // Check if arguments contain template literals or string concatenation
           for (const arg of node.arguments) {
             if (t.isTemplateLiteral(arg) || 
                 (t.isBinaryExpression(arg) && arg.operator === "+")) {
-              
-              // Double-check it's not a tagged template (safe)
-              if (t.isTaggedTemplateExpression(arg)) {
-                continue;
-              }
-              
+              const line = node.loc.start.line;
               findings.push({
                 type: "sql_injection",
                 severity: "BLOCK",
                 category: "Security",
                 file: filePath,
-                line: lineNum,
+                line,
                 column: node.loc.start.column,
                 title: "Potential SQL injection vulnerability",
-                message: "SQL query constructed with string interpolation. Use parameterized queries instead.",
-                codeSnippet: lineContent.trim(),
+                message: "SQL query constructed with user input without parameterization",
+                codeSnippet: lines[line - 1]?.trim(),
                 confidence: "high",
-                fixHint: "Use parameterized queries: query('SELECT * FROM users WHERE id = $1', [userId])",
               });
               break;
             }
@@ -218,7 +61,7 @@ function analyzeSecurityVulnerabilities(code, filePath) {
     },
   });
 
-  // XSS vulnerabilities - Enhanced with sanitization detection
+  // XSS vulnerabilities
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
@@ -231,38 +74,21 @@ function analyzeSecurityVulnerabilities(code, filePath) {
         if (t.isIdentifier(prop) && 
             ["innerHTML", "outerHTML", "insertAdjacentHTML"].includes(prop.name)) {
           
-          const lineNum = node.loc.start.line;
-          const lineContent = lines[lineNum - 1] || "";
-          const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
-          
-          // Skip if content is sanitized
-          if (isSanitized(lineContent, surroundingLines)) {
-            return;
-          }
-          
           // Check if argument comes from user input or URL params
           for (const arg of node.arguments) {
             if (t.isIdentifier(arg) || t.isMemberExpression(arg)) {
-              // Check if the argument itself is a sanitize call
-              if (t.isCallExpression(arg)) {
-                const argCode = code.substring(arg.start, arg.end);
-                if (SANITIZATION_PATTERNS.some(p => p.test(argCode))) {
-                  continue;
-                }
-              }
-              
+              const line = node.loc.start.line;
               findings.push({
                 type: "xss",
                 severity: "BLOCK",
                 category: "Security",
                 file: filePath,
-                line: lineNum,
+                line,
                 column: node.loc.start.column,
                 title: "Potential XSS vulnerability",
-                message: `Using ${prop.name} with potentially unsafe content. Sanitize before rendering.`,
-                codeSnippet: lineContent.trim(),
+                message: `Using ${prop.name} with potentially unsafe content`,
+                codeSnippet: lines[line - 1]?.trim(),
                 confidence: "med",
-                fixHint: "Use DOMPurify.sanitize(content) or sanitize-html before setting innerHTML",
               });
               break;
             }
@@ -271,229 +97,75 @@ function analyzeSecurityVulnerabilities(code, filePath) {
       }
     },
   });
-  
-  // Also check for dangerouslySetInnerHTML in React
-  traverse(ast, {
-    JSXAttribute(path) {
-      const node = path.node;
-      
-      if (t.isJSXIdentifier(node.name, { name: "dangerouslySetInnerHTML" })) {
-        const lineNum = node.loc.start.line;
-        const lineContent = lines[lineNum - 1] || "";
-        const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
-        
-        // Skip if content is sanitized
-        if (isSanitized(lineContent, surroundingLines)) {
-          return;
-        }
-        
-        findings.push({
-          type: "xss",
-          severity: "WARN",
-          category: "Security",
-          file: filePath,
-          line: lineNum,
-          column: node.loc.start.column,
-          title: "Potential XSS via dangerouslySetInnerHTML",
-          message: "Using dangerouslySetInnerHTML without visible sanitization",
-          codeSnippet: lineContent.trim(),
-          confidence: "med",
-          fixHint: "Sanitize content with DOMPurify.sanitize() before rendering",
-        });
-      }
-    },
-  });
 
-  // Command injection - Enhanced with shell escape detection
-  const SHELL_ESCAPE_PATTERNS = [
-    /shellEscape\(/i,
-    /escapeShell\(/i,
-    /shell-escape/i,
-    /shellescape/i,
-    /quote\(/i, // shell-quote
-  ];
-  
-  function isShellEscaped(line, surroundingLines) {
-    const context = surroundingLines ? [...surroundingLines, line].join('\n') : line;
-    return SHELL_ESCAPE_PATTERNS.some(pattern => pattern.test(context));
-  }
-  
+  // Command injection
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
       
       // Dangerous command execution methods
-      let methodName = null;
-      
-      if (t.isIdentifier(node.callee)) {
-        methodName = node.callee.name;
-      } else if (t.isMemberExpression(node.callee) && t.isIdentifier(node.callee.property)) {
-        methodName = node.callee.property.name;
-      }
-      
-      const dangerousMethods = ["exec", "spawn", "execSync", "spawnSync", "execFile", "execFileSync"];
-      
-      if (methodName && dangerousMethods.includes(methodName)) {
-        const lineNum = node.loc.start.line;
-        const lineContent = lines[lineNum - 1] || "";
-        const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
-        
-        // Skip if shell-escaped
-        if (isShellEscaped(lineContent, surroundingLines)) {
-          return;
-        }
-        
-        // Check if arguments contain user input
-        for (const arg of node.arguments) {
-          if (t.isTemplateLiteral(arg) || 
-              (t.isBinaryExpression(arg) && arg.operator === "+")) {
-            findings.push({
-              type: "command_injection",
-              severity: "BLOCK",
-              category: "Security",
-              file: filePath,
-              line: lineNum,
-              column: node.loc.start.column,
-              title: "Potential command injection vulnerability",
-              message: "Command execution with string interpolation. Use array args or shell-escape.",
-              codeSnippet: lineContent.trim(),
-              confidence: "high",
-              fixHint: "Use spawn with array arguments: spawn('cmd', [arg1, arg2]) instead of shell strings",
-            });
-            break;
-          }
-        }
-      }
-    },
-  });
-
-  // SSRF (Server-Side Request Forgery) detection
-  traverse(ast, {
-    CallExpression(path) {
-      const node = path.node;
-      
-      // Check for fetch, axios, http.request with dynamic URLs
-      let isHttpCall = false;
-      let methodName = "";
-      
       if (t.isIdentifier(node.callee)) {
-        isHttpCall = ["fetch", "axios", "request", "got", "superagent"].includes(node.callee.name);
-        methodName = node.callee.name;
-      } else if (t.isMemberExpression(node.callee)) {
-        const prop = node.callee.property;
-        if (t.isIdentifier(prop)) {
-          isHttpCall = ["get", "post", "put", "delete", "request", "fetch"].includes(prop.name);
-          methodName = prop.name;
-        }
-      }
-      
-      if (isHttpCall && node.arguments.length > 0) {
-        const urlArg = node.arguments[0];
+        const dangerousMethods = ["exec", "spawn", "execSync", "spawnSync"];
         
-        // Check if URL contains user input
-        if (t.isTemplateLiteral(urlArg) && urlArg.expressions && urlArg.expressions.length > 0) {
-          const lineNum = node.loc.start.line;
-          const lineContent = lines[lineNum - 1] || "";
-          const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
-          
-          // Check for URL validation patterns
-          const urlValidationPatterns = [
-            /new URL\(/i,
-            /url\.parse\(/i,
-            /isValidUrl\(/i,
-            /validateUrl\(/i,
-            /allowedHosts/i,
-            /whitelist/i,
-          ];
-          
-          const hasUrlValidation = urlValidationPatterns.some(p => 
-            p.test(lineContent) || p.test(surroundingLines.join('\n'))
-          );
-          
-          if (!hasUrlValidation) {
-            findings.push({
-              type: "ssrf",
-              severity: "WARN",
-              category: "Security",
-              file: filePath,
-              line: lineNum,
-              column: node.loc.start.column,
-              title: "Potential SSRF vulnerability",
-              message: "HTTP request with user-controlled URL without visible validation",
-              codeSnippet: lineContent.trim(),
-              confidence: "med",
-              fixHint: "Validate URLs against an allowlist of hosts before making requests",
-            });
+        if (dangerousMethods.includes(node.callee.name)) {
+          // Check if arguments contain user input
+          for (const arg of node.arguments) {
+            if (t.isTemplateLiteral(arg) || 
+                (t.isBinaryExpression(arg) && arg.operator === "+")) {
+              const line = node.loc.start.line;
+              findings.push({
+                type: "command_injection",
+                severity: "BLOCK",
+                category: "Security",
+                file: filePath,
+                line,
+                column: node.loc.start.column,
+                title: "Potential command injection vulnerability",
+                message: "Command execution with potentially unsafe user input",
+                codeSnippet: lines[line - 1]?.trim(),
+                confidence: "high",
+              });
+              break;
+            }
           }
         }
       }
     },
   });
 
-  // Path traversal - Enhanced with path validation detection
+  // Path traversal
   traverse(ast, {
     CallExpression(path) {
       const node = path.node;
       
       // File system operations
-      if (t.isMemberExpression(node.callee)) {
-        const obj = node.callee.object;
+      if (t.isMemberExpression(node.callee) && 
+          t.isIdentifier(node.callee.object, { name: "fs" })) {
         const prop = node.callee.property;
         
-        // Check for fs.* or fs/promises methods
-        const isFsCall = t.isIdentifier(obj, { name: "fs" }) || 
-                         t.isIdentifier(obj, { name: "fsp" }) ||
-                         t.isIdentifier(obj, { name: "fsPromises" });
-        
-        if (isFsCall && t.isIdentifier(prop) && 
-            ["readFile", "writeFile", "readFileSync", "writeFileSync", "unlink", 
-             "unlinkSync", "access", "accessSync", "stat", "statSync",
-             "readdir", "readdirSync", "mkdir", "mkdirSync"].includes(prop.name)) {
-          
-          const lineNum = node.loc.start.line;
-          const lineContent = lines[lineNum - 1] || "";
-          const surroundingLines = getSurroundingLines(lines, lineNum - 1, 5);
-          
-          // Skip if path is validated/sanitized
-          if (isPathValidated(lineContent, surroundingLines)) {
-            return;
-          }
+        if (t.isIdentifier(prop) && 
+            ["readFile", "writeFile", "readFileSync", "writeFileSync", "unlink"].includes(prop.name)) {
           
           // Check if path contains user input or "../"
           for (const arg of node.arguments) {
-            let hasTraversal = false;
-            let hasUserInput = false;
-            
             if (t.isTemplateLiteral(arg)) {
               const template = code.substring(arg.start, arg.end);
-              hasTraversal = template.includes("../") || template.includes("..\\");
-              hasUserInput = arg.expressions && arg.expressions.length > 0;
-            } else if (t.isBinaryExpression(arg) && arg.operator === "+") {
-              // String concatenation with user input
-              hasUserInput = true;
-            } else if (t.isIdentifier(arg)) {
-              // Variable path - check if it looks like user input
-              const varName = arg.name.toLowerCase();
-              hasUserInput = /path|file|dir|folder|name|input|param|query|body|req/i.test(varName);
-            }
-            
-            if (hasTraversal || hasUserInput) {
-              findings.push({
-                type: "path_traversal",
-                severity: hasTraversal ? "BLOCK" : "WARN",
-                category: "Security",
-                file: filePath,
-                line: lineNum,
-                column: node.loc.start.column,
-                title: "Potential path traversal vulnerability",
-                message: hasTraversal 
-                  ? "File operation with path containing '..' - validate and sanitize paths"
-                  : "File operation with potentially user-controlled path - validate before use",
-                codeSnippet: lineContent.trim(),
-                confidence: hasTraversal ? "high" : "med",
-                fixHint: "Use path.resolve() with a base directory and validate the result starts with the expected prefix",
-              });
-              break;
+              if (template.includes("../") || template.includes("..\\")) {
+                const line = node.loc.start.line;
+                findings.push({
+                  type: "path_traversal",
+                  severity: "BLOCK",
+                  category: "Security",
+                  file: filePath,
+                  line,
+                  column: node.loc.start.column,
+                  title: "Potential path traversal vulnerability",
+                  message: "File operation with path containing '..' - validate and sanitize paths",
+                  codeSnippet: lines[line - 1]?.trim(),
+                  confidence: "high",
+                });
+                break;
+              }
             }
           }
         }