@vibecheckai/cli 3.5.0 → 3.5.2

package/bin/runners/lib/engines/env-variables-engine.js

@@ -1,458 +0,0 @@
-/**
- * Environment Variables Engine
- * Detects:
- * - Missing environment variable validation
- * - Insecure default values
- * - Exposed secrets in .env files committed to git
- * - Missing required env vars
- * - Type coercion issues
- * - Environment-specific configuration problems
- */
-
-const { getAST } = require("./ast-cache");
-const traverse = require("@babel/traverse").default;
-const t = require("@babel/types");
-const fs = require("fs");
-const path = require("path");
-
-/**
- * Required environment variables for common frameworks
- */
-const COMMON_REQUIRED_VARS = {
-  nextjs: ["NEXTAUTH_SECRET", "NEXTAUTH_URL"],
-  database: ["DATABASE_URL"],
-  stripe: ["STRIPE_SECRET_KEY", "STRIPE_WEBHOOK_SECRET"],
-  auth: ["JWT_SECRET", "SESSION_SECRET"],
-  aws: ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_REGION"],
-  email: ["SMTP_HOST", "SMTP_USER", "SMTP_PASSWORD"],
-};
-
-/**
- * Patterns that suggest sensitive env vars
- */
-const SENSITIVE_VAR_PATTERNS = [
-  /SECRET/i,
-  /PASSWORD/i,
-  /TOKEN/i,
-  /API_KEY/i,
-  /PRIVATE/i,
-  /CREDENTIAL/i,
-  /AUTH/i,
-  /KEY$/i,
-];
-
-/**
- * Insecure default values
- */
-const INSECURE_DEFAULTS = [
-  { pattern: /^(password|secret|test|demo|admin|123|abc)$/i, message: "Insecure default value" },
-  { pattern: /^(localhost|127\.0\.0\.1|0\.0\.0\.0)$/, message: "Development-only default" },
-  { pattern: /^(true|false)$/, message: "Boolean default may hide missing config" },
-  { pattern: /^your[-_]?/i, message: "Placeholder default value" },
-  { pattern: /^change[-_]?me/i, message: "Placeholder default value" },
-  { pattern: /^xxx+$/i, message: "Placeholder default value" },
-];
-
-/**
- * Check if a variable name looks sensitive
- */
-function isSensitiveVar(varName) {
-  return SENSITIVE_VAR_PATTERNS.some(p => p.test(varName));
-}
-
-/**
- * Check if a default value is insecure
- */
-function checkInsecureDefault(value) {
-  for (const { pattern, message } of INSECURE_DEFAULTS) {
-    if (pattern.test(value)) {
-      return message;
-    }
-  }
-  return null;
-}
-
-/**
- * Parse .env file content
- */
-function parseEnvFile(content) {
-  const vars = new Map();
-  const lines = content.split("\n");
-  
-  for (let i = 0; i < lines.length; i++) {
-    const line = lines[i].trim();
-    
-    // Skip comments and empty lines
-    if (!line || line.startsWith("#")) continue;
-    
-    // Parse key=value
-    const match = line.match(/^([A-Z_][A-Z0-9_]*)\s*=\s*(.*)$/i);
-    if (match) {
-      const [, key, rawValue] = match;
-      // Remove quotes
-      let value = rawValue.trim();
-      if ((value.startsWith('"') && value.endsWith('"')) ||
-          (value.startsWith("'") && value.endsWith("'"))) {
-        value = value.slice(1, -1);
-      }
-      vars.set(key, { value, line: i + 1 });
-    }
-  }
-  
-  return vars;
-}
-
-/**
- * Analyze .env file for issues
- */
-function analyzeEnvFile(content, filePath) {
-  const findings = [];
-  const vars = parseEnvFile(content);
-  const lines = content.split("\n");
-  
-  for (const [key, { value, line }] of vars) {
-    // Check for sensitive vars with actual values (not placeholders)
-    if (isSensitiveVar(key) && value && value.length > 5) {
-      // Check if it looks like a real secret (not a placeholder)
-      const isPlaceholder = /^(your|change|xxx|placeholder|example|sample)/i.test(value);
-      
-      if (!isPlaceholder) {
-        findings.push({
-          type: "exposed_secret",
-          severity: "BLOCK",
-          category: "Security",
-          file: filePath,
-          line,
-          column: 0,
-          title: `Potential secret in env file: ${key}`,
-          message: `The variable '${key}' appears to contain a real secret. Ensure this file is in .gitignore.`,
-          codeSnippet: `${key}=***`,
-          confidence: "high",
-          fixHint: "Add .env to .gitignore and use .env.example with placeholder values",
-        });
-      }
-    }
-    
-    // Check for insecure defaults
-    const insecureMessage = checkInsecureDefault(value);
-    if (insecureMessage && isSensitiveVar(key)) {
-      findings.push({
-        type: "insecure_default",
-        severity: "WARN",
-        category: "Security",
-        file: filePath,
-        line,
-        column: 0,
-        title: `${insecureMessage}: ${key}`,
-        message: `The variable '${key}' has an insecure or placeholder default value.`,
-        codeSnippet: lines[line - 1]?.trim(),
-        confidence: "med",
-        fixHint: "Use a secure, randomly generated value",
-      });
-    }
-    
-    // Check for empty values on required-looking vars
-    if (!value && isSensitiveVar(key)) {
-      findings.push({
-        type: "empty_env_var",
-        severity: "INFO",
-        category: "Configuration",
-        file: filePath,
-        line,
-        column: 0,
-        title: `Empty value for: ${key}`,
-        message: `The variable '${key}' is defined but has no value.`,
-        codeSnippet: lines[line - 1]?.trim(),
-        confidence: "low",
-        fixHint: "Set a value or remove if not needed",
-      });
-    }
-  }
-  
-  return findings;
-}
-
-/**
- * Analyze code for environment variable usage issues
- */
-function analyzeEnvUsage(code, filePath) {
-  const findings = [];
-  const ast = getAST(code, filePath);
-  if (!ast) return findings;
-  
-  const lines = code.split("\n");
-  const envVarsUsed = new Map(); // varName -> locations
-  const envVarsValidated = new Set();
-  
-  traverse(ast, {
-    MemberExpression(path) {
-      const node = path.node;
-      const loc = node.loc?.start;
-      if (!loc) return;
-      
-      // Check for process.env.VAR_NAME
-      if (t.isMemberExpression(node.object) &&
-          t.isIdentifier(node.object.object, { name: "process" }) &&
-          t.isIdentifier(node.object.property, { name: "env" })) {
-        
-        let varName = null;
-        if (t.isIdentifier(node.property)) {
-          varName = node.property.name;
-        } else if (t.isStringLiteral(node.property)) {
-          varName = node.property.value;
-        }
-        
-        if (varName) {
-          if (!envVarsUsed.has(varName)) {
-            envVarsUsed.set(varName, []);
-          }
-          envVarsUsed.get(varName).push({ line: loc.line, path });
-          
-          // Check for default value usage
-          const parent = path.parentPath;
-          
-          // Check for || or ?? with default
-          if (parent.isLogicalExpression() && 
-              (parent.node.operator === "||" || parent.node.operator === "??")) {
-            const right = parent.node.right;
-            
-            // Check if default is insecure
-            if (t.isStringLiteral(right)) {
-              const defaultValue = right.value;
-              const insecureMessage = checkInsecureDefault(defaultValue);
-              
-              if (insecureMessage && isSensitiveVar(varName)) {
-                findings.push({
-                  type: "insecure_env_default",
-                  severity: "WARN",
-                  category: "Security",
-                  file: filePath,
-                  line: loc.line,
-                  column: loc.column,
-                  title: `Insecure default for ${varName}`,
-                  message: `${insecureMessage} for sensitive variable.`,
-                  codeSnippet: lines[loc.line - 1]?.trim(),
-                  confidence: "med",
-                  fixHint: "Throw error if required env var is missing instead of using default",
-                });
-              }
-            }
-          }
-          
-          // Check for validation patterns
-          if (parent.isIfStatement() || 
-              parent.isConditionalExpression() ||
-              parent.isLogicalExpression()) {
-            envVarsValidated.add(varName);
-          }
-        }
-      }
-      
-      // Check for import.meta.env.VAR_NAME (Vite)
-      if (t.isMemberExpression(node.object) &&
-          t.isMetaProperty(node.object.object) &&
-          t.isIdentifier(node.object.property, { name: "env" })) {
-        
-        let varName = null;
-        if (t.isIdentifier(node.property)) {
-          varName = node.property.name;
-        }
-        
-        if (varName) {
-          if (!envVarsUsed.has(varName)) {
-            envVarsUsed.set(varName, []);
-          }
-          envVarsUsed.get(varName).push({ line: loc.line, path });
-        }
-      }
-    },
-    
-    // Check for zod/validation schemas
-    CallExpression(path) {
-      const callee = path.node.callee;
-      
-      // z.object({ VAR: z.string() })
-      if (t.isMemberExpression(callee) &&
-          t.isIdentifier(callee.property, { name: "object" })) {
-        const args = path.node.arguments;
-        if (args[0] && t.isObjectExpression(args[0])) {
-          for (const prop of args[0].properties) {
-            if (t.isObjectProperty(prop) && t.isIdentifier(prop.key)) {
-              envVarsValidated.add(prop.key.name);
-            }
-          }
-        }
-      }
-    },
-  });
-  
-  // Check for unvalidated sensitive env vars
-  for (const [varName, usages] of envVarsUsed) {
-    if (isSensitiveVar(varName) && !envVarsValidated.has(varName)) {
-      const firstUsage = usages[0];
-      
-      findings.push({
-        type: "unvalidated_env_var",
-        severity: "INFO",
-        category: "Configuration",
-        file: filePath,
-        line: firstUsage.line,
-        column: 0,
-        title: `Unvalidated env var: ${varName}`,
-        message: `Sensitive variable '${varName}' is used without validation. Consider using zod or a similar validation library.`,
-        codeSnippet: lines[firstUsage.line - 1]?.trim(),
-        confidence: "low",
-        fixHint: "Add runtime validation: if (!process.env.VAR) throw new Error('Missing VAR')",
-      });
-    }
-  }
-  
-  // Check for type coercion issues
-  traverse(ast, {
-    BinaryExpression(path) {
-      const node = path.node;
-      const loc = node.loc?.start;
-      if (!loc) return;
-      
-      // Check for process.env.VAR === true/false (always false)
-      if ((node.operator === "===" || node.operator === "==") &&
-          (t.isBooleanLiteral(node.right) || t.isBooleanLiteral(node.left))) {
-        
-        const envSide = t.isBooleanLiteral(node.right) ? node.left : node.right;
-        
-        if (t.isMemberExpression(envSide) &&
-            t.isMemberExpression(envSide.object) &&
-            t.isIdentifier(envSide.object.object, { name: "process" }) &&
-            t.isIdentifier(envSide.object.property, { name: "env" })) {
-          
-          findings.push({
-            type: "env_type_coercion",
-            severity: "WARN",
-            category: "CodeQuality",
-            file: filePath,
-            line: loc.line,
-            column: loc.column,
-            title: "Env var compared to boolean",
-            message: "Environment variables are always strings. This comparison may not work as expected.",
-            codeSnippet: lines[loc.line - 1]?.trim(),
-            confidence: "high",
-            fixHint: "Use process.env.VAR === 'true' instead",
-          });
-        }
-      }
-      
-      // Check for process.env.VAR === number (always false)
-      if ((node.operator === "===" || node.operator === "==") &&
-          (t.isNumericLiteral(node.right) || t.isNumericLiteral(node.left))) {
-        
-        const envSide = t.isNumericLiteral(node.right) ? node.left : node.right;
-        
-        if (t.isMemberExpression(envSide) &&
-            t.isMemberExpression(envSide.object) &&
-            t.isIdentifier(envSide.object.object, { name: "process" }) &&
-            t.isIdentifier(envSide.object.property, { name: "env" })) {
-          
-          findings.push({
-            type: "env_type_coercion",
-            severity: "WARN",
-            category: "CodeQuality",
-            file: filePath,
-            line: loc.line,
-            column: loc.column,
-            title: "Env var compared to number",
-            message: "Environment variables are always strings. Use Number() or parseInt() first.",
-            codeSnippet: lines[loc.line - 1]?.trim(),
-            confidence: "high",
-            fixHint: "Use Number(process.env.VAR) === 123 instead",
-          });
-        }
-      }
-    },
-  });
-  
-  return findings;
-}
-
-/**
- * Check for missing env files or misconfigurations
- */
-function analyzeEnvSetup(repoRoot) {
-  const findings = [];
-  
-  // Check if .env is in .gitignore
-  const gitignorePath = path.join(repoRoot, ".gitignore");
-  if (fs.existsSync(gitignorePath)) {
-    const gitignore = fs.readFileSync(gitignorePath, "utf8");
-    const hasEnvIgnore = /^\.env$/m.test(gitignore) || 
-                         /^\*\.env$/m.test(gitignore) ||
-                         /^\.env\.\*$/m.test(gitignore);
-    
-    if (!hasEnvIgnore) {
-      // Check if .env exists
-      const envPath = path.join(repoRoot, ".env");
-      if (fs.existsSync(envPath)) {
-        findings.push({
-          type: "env_not_gitignored",
-          severity: "BLOCK",
-          category: "Security",
-          file: ".gitignore",
-          line: 1,
-          column: 0,
-          title: ".env file may be committed to git",
-          message: ".env is not in .gitignore but exists. Secrets may be exposed.",
-          codeSnippet: "",
-          confidence: "high",
-          fixHint: "Add '.env' and '.env.*' to .gitignore",
-        });
-      }
-    }
-  }
-  
-  // Check for .env.example or .env.template
-  const hasExample = fs.existsSync(path.join(repoRoot, ".env.example")) ||
-                     fs.existsSync(path.join(repoRoot, ".env.template")) ||
-                     fs.existsSync(path.join(repoRoot, ".env.sample"));
-  
-  if (!hasExample && fs.existsSync(path.join(repoRoot, ".env"))) {
-    findings.push({
-      type: "missing_env_example",
-      severity: "INFO",
-      category: "Configuration",
-      file: ".env",
-      line: 1,
-      column: 0,
-      title: "Missing .env.example file",
-      message: "Consider creating .env.example with placeholder values for other developers.",
-      codeSnippet: "",
-      confidence: "low",
-      fixHint: "Create .env.example with YOUR_VAR=your_value_here format",
-    });
-  }
-  
-  return findings;
-}
-
-/**
- * Main analysis function
- */
-function analyzeEnvVariables(code, filePath) {
-  // Check if it's an env file
-  if (filePath.includes(".env")) {
-    return analyzeEnvFile(code, filePath);
-  }
-  
-  // Otherwise analyze code for env usage
-  return analyzeEnvUsage(code, filePath);
-}
-
-module.exports = {
-  analyzeEnvVariables,
-  analyzeEnvFile,
-  analyzeEnvUsage,
-  analyzeEnvSetup,
-  parseEnvFile,
-  isSensitiveVar,
-  checkInsecureDefault,
-  COMMON_REQUIRED_VARS,
-  SENSITIVE_VAR_PATTERNS,
-};