acidtest 0.7.0 → 1.0.0

package/dist/patterns/dangerous-imports-python.json

@@ -0,0 +1,256 @@
+{
+  "category": "dangerous-imports",
+  "patterns": [
+    {
+      "id": "pyimp-001",
+      "name": "subprocess-module",
+      "description": "Imports subprocess module for command execution",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+subprocess|from\\s+subprocess\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code",
+      "remediation": {
+        "title": "Avoid subprocess when possible",
+        "suggestions": [
+          "Use built-in Python APIs instead of shell commands",
+          "If subprocess is necessary, never use shell=True",
+          "Never pass user input directly to subprocess functions",
+          "Use explicit argument lists with subprocess.run([cmd, arg1, arg2])",
+          "Validate and sanitize all command arguments"
+        ]
+      }
+    },
+    {
+      "id": "pyimp-002",
+      "name": "os-system-import",
+      "description": "Imports os module which provides os.system() for command execution",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+os|from\\s+os\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-003",
+      "name": "eval-builtin",
+      "description": "Uses eval() builtin for arbitrary code execution",
+      "severity": "CRITICAL",
+      "match": {
+        "type": "regex",
+        "value": "\\beval\\s*\\(",
+        "flags": "g"
+      },
+      "layer": "code",
+      "remediation": {
+        "title": "Replace eval() with safer alternatives",
+        "suggestions": [
+          "Use json.loads() for parsing JSON strings",
+          "Use ast.literal_eval() for safely evaluating Python literals",
+          "Consider removing dynamic code execution entirely",
+          "If absolutely necessary, validate and sanitize all inputs"
+        ]
+      }
+    },
+    {
+      "id": "pyimp-004",
+      "name": "exec-builtin",
+      "description": "Uses exec() builtin for arbitrary code execution",
+      "severity": "CRITICAL",
+      "match": {
+        "type": "regex",
+        "value": "\\bexec\\s*\\(",
+        "flags": "g"
+      },
+      "layer": "code",
+      "remediation": {
+        "title": "Avoid exec() for dynamic code execution",
+        "suggestions": [
+          "Refactor to use static function definitions",
+          "Use importlib for dynamic module loading instead",
+          "If truly necessary, ensure all code is from trusted sources only",
+          "Consider using a restricted globals/locals dictionary"
+        ]
+      }
+    },
+    {
+      "id": "pyimp-005",
+      "name": "compile-builtin",
+      "description": "Uses compile() builtin for code object creation",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "\\bcompile\\s*\\(",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-006",
+      "name": "pickle-module",
+      "description": "Imports pickle module for unsafe deserialization",
+      "severity": "CRITICAL",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+pickle|from\\s+pickle\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code",
+      "remediation": {
+        "title": "Replace pickle with safer serialization",
+        "suggestions": [
+          "Use json for data serialization when possible",
+          "For complex objects, consider msgpack or protobuf",
+          "Never unpickle data from untrusted sources",
+          "If pickle is required, use hmac to verify data integrity",
+          "Consider using restricted unpicklers with custom find_class()"
+        ]
+      }
+    },
+    {
+      "id": "pyimp-007",
+      "name": "shelve-module",
+      "description": "Imports shelve module which uses pickle internally",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+shelve|from\\s+shelve\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-008",
+      "name": "marshal-module",
+      "description": "Imports marshal module for unsafe deserialization",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+marshal|from\\s+marshal\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-009",
+      "name": "import-builtin",
+      "description": "Uses __import__ builtin for dynamic imports",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "\\b__import__\\s*\\(",
+        "flags": "g"
+      },
+      "layer": "code",
+      "remediation": {
+        "title": "Replace dynamic imports with static imports",
+        "suggestions": [
+          "Use static import statements when possible",
+          "Use importlib.import_module() with whitelisted module names",
+          "Validate module names against a known set before importing",
+          "Consider using entry points or plugin systems instead"
+        ]
+      }
+    },
+    {
+      "id": "pyimp-010",
+      "name": "importlib-import",
+      "description": "Uses importlib for dynamic module imports",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+importlib|from\\s+importlib\\s+import|importlib\\.import_module)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-011",
+      "name": "ctypes-module",
+      "description": "Imports ctypes for native code execution",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+ctypes|from\\s+ctypes\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-012",
+      "name": "cffi-module",
+      "description": "Imports cffi for native code execution",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+cffi|from\\s+cffi\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-013",
+      "name": "socket-module",
+      "description": "Imports socket module for network access",
+      "severity": "LOW",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+socket|from\\s+socket\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-014",
+      "name": "requests-module",
+      "description": "Imports requests module for HTTP requests",
+      "severity": "LOW",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+requests|from\\s+requests\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-015",
+      "name": "urllib-module",
+      "description": "Imports urllib for URL/HTTP operations",
+      "severity": "LOW",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+urllib|from\\s+urllib)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-016",
+      "name": "httpx-module",
+      "description": "Imports httpx module for HTTP requests",
+      "severity": "LOW",
+      "match": {
+        "type": "regex",
+        "value": "(import\\s+httpx|from\\s+httpx\\s+import)",
+        "flags": "g"
+      },
+      "layer": "code"
+    },
+    {
+      "id": "pyimp-017",
+      "name": "input-builtin",
+      "description": "Uses input() for user input which could be dangerous",
+      "severity": "LOW",
+      "match": {
+        "type": "regex",
+        "value": "\\binput\\s*\\(",
+        "flags": "g"
+      },
+      "layer": "code"
+    }
+  ]
+}

package/dist/patterns/insecure-crypto.json

@@ -0,0 +1,163 @@
+{
+  "category": "insecure-crypto",
+  "patterns": [
+    {
+      "id": "crypto-001",
+      "name": "MD5 hash algorithm usage",
+      "description": "MD5 is cryptographically broken and should not be used for security purposes",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(createHash|hashlib\\.(md5|new)).*['\"]md5['\"]",
+        "flags": "i"
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use secure hash algorithms",
+        "suggestions": [
+          "Use SHA-256 or SHA-3 for hashing",
+          "For passwords, use bcrypt, scrypt, or Argon2",
+          "MD5 is vulnerable to collision attacks",
+          "For TypeScript: crypto.createHash('sha256')",
+          "For Python: hashlib.sha256()"
+        ]
+      }
+    },
+    {
+      "id": "crypto-002",
+      "name": "SHA-1 hash algorithm usage",
+      "description": "SHA-1 is deprecated and vulnerable to collision attacks",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "(createHash|hashlib\\.(sha1|new)).*['\"]sha1['\"]",
+        "flags": "i"
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use SHA-256 or better",
+        "suggestions": [
+          "Migrate to SHA-256, SHA-384, or SHA-512",
+          "SHA-1 is deprecated by NIST since 2011",
+          "Vulnerable to collision attacks (SHAttered attack)",
+          "Use SHA-256 minimum for new applications"
+        ]
+      }
+    },
+    {
+      "id": "crypto-003",
+      "name": "Weak random number generation",
+      "description": "Math.random() is not cryptographically secure",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "Math\\.random\\(\\)",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use cryptographically secure random",
+        "suggestions": [
+          "For TypeScript: Use crypto.randomBytes() or crypto.getRandomValues()",
+          "For Python: Use secrets module instead of random",
+          "Math.random() is predictable and not suitable for security",
+          "Never use Math.random() for tokens, keys, or security-sensitive operations"
+        ]
+      }
+    },
+    {
+      "id": "crypto-004",
+      "name": "Python random module for security (Python)",
+      "description": "Python's random module is not cryptographically secure",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "import random|from random import",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use secrets module",
+        "suggestions": [
+          "Use 'import secrets' instead of 'import random' for security",
+          "secrets.token_bytes(), secrets.token_hex(), secrets.token_urlsafe()",
+          "random module uses Mersenne Twister which is predictable",
+          "Only use random module for non-security purposes (games, simulations)"
+        ]
+      }
+    },
+    {
+      "id": "crypto-005",
+      "name": "Hardcoded secret or API key",
+      "description": "Hardcoded secrets in source code are a security risk",
+      "severity": "CRITICAL",
+      "match": {
+        "type": "regex",
+        "value": "(api[_-]?key|secret|password|token|auth)\\s*=\\s*['\"][a-zA-Z0-9_-]{20,}['\"]",
+        "flags": "i"
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use environment variables",
+        "suggestions": [
+          "Store secrets in environment variables (process.env.API_KEY)",
+          "Use a secrets management service (AWS Secrets Manager, HashiCorp Vault)",
+          "Never commit secrets to version control",
+          "Use .env files (but add .env to .gitignore)",
+          "Rotate any secrets that were accidentally committed"
+        ]
+      }
+    },
+    {
+      "id": "crypto-006",
+      "name": "DES/3DES cipher usage",
+      "description": "DES and 3DES are obsolete and insecure encryption algorithms",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(createCipher|Cipher\\.getInstance).*['\"]?(DES|3DES|TripleDES)['\"]?",
+        "flags": "i"
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use AES encryption",
+        "suggestions": [
+          "Use AES-256-GCM or AES-256-CBC for encryption",
+          "DES has a 56-bit key which is too weak",
+          "3DES is deprecated and slow",
+          "For TypeScript: crypto.createCipheriv('aes-256-gcm', key, iv)",
+          "For Python: Use cryptography library with AES"
+        ]
+      }
+    },
+    {
+      "id": "crypto-007",
+      "name": "ECB cipher mode usage",
+      "description": "ECB mode does not provide message confidentiality",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "(createCipher|Cipher\\.getInstance).*ECB",
+        "flags": "i"
+      },
+      "layer": "code",
+      "category": "insecure-crypto",
+      "remediation": {
+        "title": "Use GCM or CBC mode",
+        "suggestions": [
+          "Use AES-GCM mode (provides authentication)",
+          "Use AES-CBC mode with HMAC for authentication",
+          "ECB mode reveals patterns in plaintext",
+          "ECB is deterministic - same plaintext produces same ciphertext",
+          "Never use ECB mode for encrypting more than one block"
+        ]
+      }
+    }
+  ]
+}

package/dist/patterns/prototype-pollution.json

@@ -0,0 +1,72 @@
+{
+  "category": "prototype-pollution",
+  "patterns": [
+    {
+      "id": "proto-001",
+      "name": "Direct __proto__ access",
+      "description": "Direct access or modification of __proto__ can lead to prototype pollution",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "__proto__|\\[\\s*['\"]__proto__['\"]\\s*\\]",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "prototype-pollution",
+      "remediation": {
+        "title": "Avoid __proto__ access",
+        "suggestions": [
+          "Use Object.create(null) to create objects without prototype",
+          "Use Object.setPrototypeOf() if prototype modification is necessary",
+          "Validate and sanitize object keys before assignment",
+          "Use Object.freeze() to prevent prototype modification",
+          "Never allow user input to set object properties dynamically"
+        ]
+      }
+    },
+    {
+      "id": "proto-002",
+      "name": "constructor.prototype manipulation",
+      "description": "Modifying constructor.prototype can affect all instances",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "constructor\\[\\s*['\"]prototype['\"]\\s*\\]|constructor\\.prototype\\[",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "prototype-pollution",
+      "remediation": {
+        "title": "Avoid prototype manipulation",
+        "suggestions": [
+          "Validate object keys before dynamic property access",
+          "Use Object.create(null) for user-controlled objects",
+          "Implement key whitelisting for dynamic properties",
+          "Consider using Map instead of plain objects for key-value storage"
+        ]
+      }
+    },
+    {
+      "id": "proto-003",
+      "name": "Object merge without key validation",
+      "description": "Merging objects without validating keys can lead to prototype pollution",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "(Object\\.assign|\\.\\.\\.|merge|extend)\\([^)]*\\)",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "prototype-pollution",
+      "remediation": {
+        "title": "Validate keys during merge",
+        "suggestions": [
+          "Validate that source objects don't contain __proto__, constructor, or prototype",
+          "Use a safe merge function that filters dangerous keys",
+          "Consider using libraries like 'lodash.merge' with proper configuration",
+          "Implement a key whitelist for allowed properties"
+        ]
+      }
+    }
+  ]
+}

package/dist/patterns/python-deserialization.json

@@ -0,0 +1,94 @@
+{
+  "category": "deserialization",
+  "patterns": [
+    {
+      "id": "deser-001",
+      "name": "YAML unsafe load (Python)",
+      "description": "yaml.load() without Loader parameter can execute arbitrary code",
+      "severity": "CRITICAL",
+      "match": {
+        "type": "regex",
+        "value": "yaml\\.load\\([^,)]+\\)|yaml\\.load\\([^)]*,\\s*Loader\\s*=\\s*yaml\\.Loader\\s*\\)",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "deserialization",
+      "remediation": {
+        "title": "Use yaml.safe_load()",
+        "suggestions": [
+          "Use yaml.safe_load() instead of yaml.load()",
+          "If Loader is needed, use yaml.SafeLoader",
+          "yaml.load() can execute arbitrary Python code in YAML",
+          "Example: yaml.safe_load(data) or yaml.load(data, Loader=yaml.SafeLoader)"
+        ]
+      }
+    },
+    {
+      "id": "deser-002",
+      "name": "XML parsing without entity protection (Python)",
+      "description": "XML parsing without defusedxml can be vulnerable to XXE and billion laughs attacks",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "from xml\\.etree|import xml\\.etree|ElementTree\\.parse|lxml\\.etree",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "deserialization",
+      "remediation": {
+        "title": "Use defusedxml library",
+        "suggestions": [
+          "Use defusedxml library instead of xml.etree or lxml",
+          "Install: pip install defusedxml",
+          "from defusedxml.ElementTree import parse",
+          "Protects against XXE, billion laughs, and other XML attacks",
+          "Configure parsers to disable external entities"
+        ]
+      }
+    },
+    {
+      "id": "deser-003",
+      "name": "marshal.loads() usage (Python)",
+      "description": "marshal module is not safe for untrusted data",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "marshal\\.loads?\\(",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "deserialization",
+      "remediation": {
+        "title": "Use json or safer serialization",
+        "suggestions": [
+          "Use json module for data serialization",
+          "marshal is only safe for trusted data",
+          "Never deserialize marshal data from untrusted sources",
+          "Consider using json, msgpack, or protobuf for untrusted data"
+        ]
+      }
+    },
+    {
+      "id": "deser-004",
+      "name": "jsonpickle decode (Python)",
+      "description": "jsonpickle can deserialize arbitrary Python objects",
+      "severity": "HIGH",
+      "match": {
+        "type": "regex",
+        "value": "jsonpickle\\.(decode|loads)",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "deserialization",
+      "remediation": {
+        "title": "Use standard json module",
+        "suggestions": [
+          "Use json.loads() for untrusted data",
+          "jsonpickle can instantiate arbitrary classes",
+          "Only use jsonpickle with data you control",
+          "Implement class whitelisting if jsonpickle is required"
+        ]
+      }
+    }
+  ]
+}

package/dist/patterns/regex-dos.json

@@ -0,0 +1,50 @@
+{
+  "category": "regex-dos",
+  "patterns": [
+    {
+      "id": "redos-001",
+      "name": "Regex with nested quantifiers (ReDoS)",
+      "description": "Regex with nested quantifiers can cause exponential backtracking (ReDoS)",
+      "severity": "MEDIUM",
+      "match": {
+        "type": "regex",
+        "value": "new RegExp\\([^)]*\\([^)]*[*+]\\)[*+]|/[^/]*\\([^)]*[*+]\\)[*+][^/]*/",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "regex-dos",
+      "remediation": {
+        "title": "Avoid nested quantifiers",
+        "suggestions": [
+          "Simplify regex to avoid nested quantifiers like (a+)+",
+          "Use atomic groups or possessive quantifiers if supported",
+          "Set timeout for regex execution in production",
+          "Test regex with long inputs to detect exponential behavior",
+          "Consider using dedicated parsing libraries for complex formats"
+        ]
+      }
+    },
+    {
+      "id": "redos-002",
+      "name": "Regex with overlapping alternatives",
+      "description": "Regex with overlapping alternatives can cause catastrophic backtracking",
+      "severity": "LOW",
+      "match": {
+        "type": "regex",
+        "value": "new RegExp\\([^)]*\\|.*\\|.*\\|",
+        "flags": ""
+      },
+      "layer": "code",
+      "category": "regex-dos",
+      "remediation": {
+        "title": "Optimize regex alternatives",
+        "suggestions": [
+          "Combine overlapping alternatives",
+          "Order alternatives from most specific to least specific",
+          "Test regex performance with long inputs",
+          "Consider using string operations instead of regex for simple cases"
+        ]
+      }
+    }
+  ]
+}