awesome-slash 2.4.3 → 2.5.0

package/plugins/next-task/lib/patterns/review-patterns.js

@@ -328,8 +328,24 @@ const _patternCountByFramework = new Map();
  */
 const _flattenedPatterns = new Map();
 
-// Build indexes at module load time
-(function buildIndexes() {
+/**
+ * Track if indexes have been built (lazy initialization)
+ */
+let _indexesBuilt = false;
+
+/**
+ * Cached arrays for getAvailableFrameworks/Categories (computed once)
+ */
+let _cachedFrameworks = null;
+let _cachedCategories = null;
+
+/**
+ * Build indexes on first access (lazy initialization)
+ * This improves module load time by deferring work until needed
+ */
+function ensureIndexesBuilt() {
+  if (_indexesBuilt) return;
+
   for (const [framework, categories] of Object.entries(reviewPatterns)) {
     let totalPatterns = 0;
     const flattened = [];
@@ -355,11 +371,13 @@ const _flattenedPatterns = new Map();
     _patternCountByFramework.set(framework, totalPatterns);
     _flattenedPatterns.set(framework, flattened);
   }
-})();
 
-// Freeze the index Sets
-Object.freeze(_frameworksSet);
-Object.freeze(_categoriesSet);
+  // Cache the arrays (avoid repeated Array.from calls)
+  _cachedFrameworks = Array.from(_frameworksSet);
+  _cachedCategories = Array.from(_categoriesSet);
+
+  _indexesBuilt = true;
+}
 
 /**
  * Get review patterns for a detected framework (O(1) lookup)
@@ -377,6 +395,7 @@ function getPatternsForFramework(framework) {
  * @returns {Map<string, Array>} Map of framework -> patterns for that category
  */
 function getPatternsByCategory(category) {
+  ensureIndexesBuilt();
   return _patternsByCategory.get(category) || new Map();
 }
 
@@ -393,19 +412,23 @@ function getPatternsForFrameworkCategory(framework, category) {
 }
 
 /**
- * Get all available frameworks (O(1) via pre-computed Set)
+ * Get all available frameworks (O(1) via cached array)
+ * Optimized: returns cached array instead of Array.from() on every call
  * @returns {Array<string>} List of framework names
  */
 function getAvailableFrameworks() {
-  return Array.from(_frameworksSet);
+  ensureIndexesBuilt();
+  return _cachedFrameworks;
 }
 
 /**
- * Get all available categories across all frameworks
+ * Get all available categories across all frameworks (O(1) via cached array)
+ * Optimized: returns cached array instead of Array.from() on every call
  * @returns {Array<string>} List of category names
  */
 function getAvailableCategories() {
-  return Array.from(_categoriesSet);
+  ensureIndexesBuilt();
+  return _cachedCategories;
 }
 
 /**
@@ -435,6 +458,7 @@ function hasPatternsFor(framework) {
  * @returns {boolean} True if category exists
  */
 function hasCategory(category) {
+  ensureIndexesBuilt();
   return _categoriesSet.has(category);
 }
 
@@ -444,6 +468,7 @@ function hasCategory(category) {
  * @returns {number} Number of patterns
  */
 function getPatternCount(framework) {
+  ensureIndexesBuilt();
   return _patternCountByFramework.get(framework.toLowerCase()) || 0;
 }
 
@@ -452,6 +477,7 @@ function getPatternCount(framework) {
  * @returns {number} Total pattern count
  */
 function getTotalPatternCount() {
+  ensureIndexesBuilt();
   let total = 0;
   for (const count of _patternCountByFramework.values()) {
     total += count;
@@ -461,17 +487,37 @@ function getTotalPatternCount() {
 
 /**
  * Search patterns by keyword across all frameworks
+ * Optimized: supports pagination to avoid returning thousands of results
  * @param {string} keyword - Search term (case-insensitive)
+ * @param {Object} [options] - Search options
+ * @param {number} [options.limit] - Maximum number of results (default: unlimited)
+ * @param {number} [options.offset=0] - Number of results to skip
  * @returns {Array<{framework: string, category: string, pattern: string}>} Matching patterns
  */
-function searchPatterns(keyword) {
+function searchPatterns(keyword, options = {}) {
+  ensureIndexesBuilt();
   const lowerKeyword = keyword.toLowerCase();
+  const { limit, offset = 0 } = options;
   const results = [];
+  let skipped = 0;
+  let collected = 0;
 
   for (const [framework, patterns] of _flattenedPatterns) {
     for (const { category, pattern } of patterns) {
       if (pattern.toLowerCase().includes(lowerKeyword)) {
+        // Skip results until we reach offset
+        if (skipped < offset) {
+          skipped++;
+          continue;
+        }
+
         results.push({ framework, category, pattern });
+        collected++;
+
+        // Stop if we've collected enough results
+        if (limit && collected >= limit) {
+          return results;
+        }
       }
     }
   }
@@ -485,6 +531,7 @@ function searchPatterns(keyword) {
  * @returns {Array<string>} List of frameworks with this category
  */
 function getFrameworksWithCategory(category) {
+  ensureIndexesBuilt();
   const categoryMap = _patternsByCategory.get(category);
   if (!categoryMap) return [];
   return Array.from(categoryMap.keys());

package/plugins/next-task/lib/patterns/slop-patterns.js

@@ -8,34 +8,102 @@
 
 /**
  * Deep freeze an object for V8 optimization and immutability
+ * Optimized: uses for-of instead of forEach to avoid function call overhead
  * @param {Object} obj - Object to freeze
  * @returns {Object} Frozen object
  */
 function deepFreeze(obj) {
-  Object.keys(obj).forEach(key => {
-    if (typeof obj[key] === 'object' && obj[key] !== null && !(obj[key] instanceof RegExp)) {
-      deepFreeze(obj[key]);
+  // Freeze the object first (fast path)
+  Object.freeze(obj);
+
+  // Then recursively freeze nested objects (only if needed)
+  // Use Object.keys() for cleaner iteration over own properties
+  for (const key of Object.keys(obj)) {
+    const value = obj[key];
+    if (value && typeof value === 'object' && !(value instanceof RegExp)) {
+      deepFreeze(value);
     }
-  });
-  return Object.freeze(obj);
+  }
+
+  return obj;
 }
 
-// Pre-compiled regex cache for performance
+// Pre-compiled regex cache for performance (limited to prevent memory growth)
+const MAX_PATTERN_CACHE_SIZE = 50;
 const _compiledExcludePatterns = new Map();
 
+// Exclude result cache for directory-level caching (limited to prevent memory growth)
+const MAX_EXCLUDE_RESULT_CACHE_SIZE = 200;
+const _excludeResultCache = new Map();
+
+/**
+ * Maximum allowed wildcards in a glob pattern to prevent ReDoS
+ */
+const MAX_GLOB_WILDCARDS = 10;
+
 /**
  * Get a compiled regex for an exclude pattern (cached)
+ * Uses safe regex construction to prevent catastrophic backtracking
+ * Optimized: uses Map.get() instead of has() + get() (eliminates redundant lookup)
  * @param {string} pattern - Glob pattern to compile
  * @returns {RegExp} Compiled regex
  */
 function getCompiledPattern(pattern) {
-  if (!_compiledExcludePatterns.has(pattern)) {
-    // Escape all regex metacharacters except *, then replace * with .*
-    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
-    const regexStr = '^' + escaped.replace(/\*/g, '.*') + '$';
-    _compiledExcludePatterns.set(pattern, new RegExp(regexStr));
+  // Try to get cached pattern (O(1) lookup)
+  let cached = _compiledExcludePatterns.get(pattern);
+  if (cached) {
+    return cached;
+  }
+
+  // Enforce cache size limit using FIFO eviction
+  if (_compiledExcludePatterns.size >= MAX_PATTERN_CACHE_SIZE) {
+    const firstKey = _compiledExcludePatterns.keys().next().value;
+    _compiledExcludePatterns.delete(firstKey);
+  }
+
+  // Count wildcards to prevent overly complex patterns
+  const wildcardCount = (pattern.match(/\*/g) || []).length;
+  if (wildcardCount > MAX_GLOB_WILDCARDS) {
+    // Too many wildcards - use a safe fallback that matches nothing dangerous
+    const safeRegex = /^$/;
+    _compiledExcludePatterns.set(pattern, safeRegex);
+    return safeRegex;
   }
-  return _compiledExcludePatterns.get(pattern);
+
+  // Escape all regex metacharacters except *
+  const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+
+  // Convert glob patterns to regex:
+  // - Both * and ** use .* for backward compatibility (patterns match anywhere in path)
+  // - ReDoS protection is provided by MAX_GLOB_WILDCARDS limit above
+  let regexStr = escaped
+    .replace(/\*\*/g, '\0GLOBSTAR\0')  // Temporarily mark globstar
+    .replace(/\*/g, '.*')              // Single star: match anything (backward compatible)
+    .replace(/\0GLOBSTAR\0/g, '.*');   // Globstar: match anything
+
+  regexStr = '^' + regexStr + '$';
+  const compiledRegex = new RegExp(regexStr);
+  _compiledExcludePatterns.set(pattern, compiledRegex);
+  return compiledRegex;
+}
+
+/**
+ * Helper to create secret detection pattern with common metadata
+ * Reduces duplication across similar secret patterns (all have same severity/autoFix/language)
+ * @param {RegExp} pattern - Detection regex pattern
+ * @param {string} description - Human-readable description
+ * @param {Array<string>} [additionalExcludes=[]] - Extra files to exclude beyond standard test files
+ * @returns {Object} Complete pattern object
+ */
+function createSecretPattern(pattern, description, additionalExcludes = []) {
+  return {
+    pattern,
+    exclude: ['*.test.*', '*.spec.*', '*.example.*', ...additionalExcludes],
+    severity: 'critical',
+    autoFix: 'flag',
+    language: null,
+    description
+  };
 }
 
 /**
@@ -234,9 +302,12 @@ const slopPatterns = {
 
   /**
    * Hardcoded credentials patterns (expanded for comprehensive detection)
+   * Excludes common false positives:
+   * - Template placeholders: ${VAR}, {{VAR}}, <VAR>
+   * - Masked/example values: xxxxxxxx, ********
    */
   hardcoded_secrets: {
-    pattern: /(password|secret|api[_-]?key|token|credential|auth)[_-]?(key|token|secret|pass)?\s*[:=]\s*["'`][^"'`\s]{8,}["'`]/i,
+    pattern: /(password|secret|api[_-]?key|token|credential|auth)[_-]?(key|token|secret|pass)?\s*[:=]\s*["'`](?!\$\{)(?!\{\{)(?!<[A-Z_])(?![x*#]{8,})(?![X*#]{8,})[^"'`\s]{8,}["'`]/i,
     exclude: ['*.test.*', '*.spec.*', '*.example.*', '*.sample.*', 'README.*', '*.md'],
     severity: 'critical',
     autoFix: 'flag',
@@ -247,146 +318,99 @@ const slopPatterns = {
   /**
    * JWT tokens (eyJ prefix indicates base64 JSON header)
    */
-  jwt_tokens: {
-    pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded JWT token'
-  },
+  jwt_tokens: createSecretPattern(
+    /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/,
+    'Hardcoded JWT token'
+  ),
 
   /**
    * OpenAI API keys (sk-... format)
    */
-  openai_api_key: {
-    pattern: /sk-[a-zA-Z0-9]{32,}/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded OpenAI API key'
-  },
+  openai_api_key: createSecretPattern(
+    /sk-[a-zA-Z0-9]{32,}/,
+    'Hardcoded OpenAI API key'
+  ),
 
   /**
    * GitHub tokens (personal access tokens, fine-grained tokens, OAuth)
    */
-  github_token: {
-    pattern: /(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded GitHub token'
-  },
+  github_token: createSecretPattern(
+    /(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36}|github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59})/,
+    'Hardcoded GitHub token'
+  ),
 
   /**
    * AWS credentials (access key IDs and secret keys)
    */
-  aws_credentials: {
-    pattern: /(AKIA[0-9A-Z]{16}|aws_secret_access_key\s*[:=]\s*["'`][A-Za-z0-9/+=]{40}["'`])/i,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded AWS credentials'
-  },
+  aws_credentials: createSecretPattern(
+    /(AKIA[0-9A-Z]{16}|aws_secret_access_key\s*[:=]\s*["'`][A-Za-z0-9/+=]{40}["'`])/i,
+    'Hardcoded AWS credentials'
+  ),
 
   /**
    * Google Cloud / Firebase API keys and service accounts
    */
-  google_api_key: {
-    pattern: /(AIza[0-9A-Za-z_-]{35}|[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded Google/Firebase API key'
-  },
+  google_api_key: createSecretPattern(
+    /(AIza[0-9A-Za-z_-]{35}|[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com)/,
+    'Hardcoded Google/Firebase API key'
+  ),
 
   /**
    * Stripe API keys (live and test)
    */
-  stripe_api_key: {
-    pattern: /(sk_live_[a-zA-Z0-9]{24,}|sk_test_[a-zA-Z0-9]{24,}|rk_live_[a-zA-Z0-9]{24,}|rk_test_[a-zA-Z0-9]{24,})/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded Stripe API key'
-  },
+  stripe_api_key: createSecretPattern(
+    /(sk_live_[a-zA-Z0-9]{24,}|sk_test_[a-zA-Z0-9]{24,}|rk_live_[a-zA-Z0-9]{24,}|rk_test_[a-zA-Z0-9]{24,})/,
+    'Hardcoded Stripe API key'
+  ),
 
   /**
    * Slack tokens (bot, user, webhook)
    */
-  slack_token: {
-    pattern: /(xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24}|xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24}|xoxa-[0-9]{10,}-[a-zA-Z0-9]{24}|https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]{8}\/B[A-Z0-9]{8,}\/[a-zA-Z0-9]{24})/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded Slack token or webhook URL'
-  },
+  slack_token: createSecretPattern(
+    /(xoxb-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24}|xoxp-[0-9]{10,}-[0-9]{10,}-[a-zA-Z0-9]{24}|xoxa-[0-9]{10,}-[a-zA-Z0-9]{24}|https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]{8}\/B[A-Z0-9]{8,}\/[a-zA-Z0-9]{24})/,
+    'Hardcoded Slack token or webhook URL'
+  ),
 
   /**
    * Discord tokens and webhook URLs
    */
-  discord_token: {
-    pattern: /(discord.*["'`][A-Za-z0-9_-]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}["'`]|https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[A-Za-z0-9_-]+)/i,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded Discord token or webhook'
-  },
+  discord_token: createSecretPattern(
+    /(discord.*["'`][A-Za-z0-9_-]{24}\.[A-Za-z0-9_-]{6}\.[A-Za-z0-9_-]{27}["'`]|https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[A-Za-z0-9_-]+)/i,
+    'Hardcoded Discord token or webhook'
+  ),
 
   /**
    * SendGrid API key
    */
-  sendgrid_api_key: {
-    pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded SendGrid API key'
-  },
+  sendgrid_api_key: createSecretPattern(
+    /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/,
+    'Hardcoded SendGrid API key'
+  ),
 
   /**
    * Twilio credentials
    */
-  twilio_credentials: {
-    pattern: /(AC[a-f0-9]{32}|SK[a-f0-9]{32})/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded Twilio credentials'
-  },
+  twilio_credentials: createSecretPattern(
+    /(AC[a-f0-9]{32}|SK[a-f0-9]{32})/,
+    'Hardcoded Twilio credentials'
+  ),
 
   /**
    * NPM tokens
    */
-  npm_token: {
-    pattern: /npm_[a-zA-Z0-9]{36}/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Hardcoded NPM token'
-  },
+  npm_token: createSecretPattern(
+    /npm_[a-zA-Z0-9]{36}/,
+    'Hardcoded NPM token'
+  ),
 
   /**
    * Private keys (RSA, DSA, EC, PGP)
    */
-  private_key: {
-    pattern: /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/,
-    exclude: ['*.test.*', '*.spec.*', '*.example.*', '*.pem.example'],
-    severity: 'critical',
-    autoFix: 'flag',
-    language: null,
-    description: 'Private key in source code'
-  },
+  private_key: createSecretPattern(
+    /-----BEGIN\s+(RSA\s+)?PRIVATE\s+KEY-----/,
+    'Private key in source code',
+    ['*.pem.example'] // Additional excludes beyond standard test files
+  ),
 
   /**
    * Generic high-entropy strings (potential secrets)
@@ -549,6 +573,7 @@ function getPatternsByAutoFix(autoFix) {
 
 /**
  * Get patterns matching multiple criteria (language AND severity)
+ * Optimized: single-pass filtering instead of chained Object.entries
  * @param {Object} criteria - Filter criteria
  * @param {string} [criteria.language] - Language filter
  * @param {string} [criteria.severity] - Severity filter
@@ -556,27 +581,25 @@ function getPatternsByAutoFix(autoFix) {
  * @returns {Object} Patterns matching all criteria
  */
 function getPatternsByCriteria(criteria = {}) {
-  let result = { ...slopPatterns };
-
-  if (criteria.language) {
-    const langPatterns = getPatternsForLanguage(criteria.language);
-    result = Object.fromEntries(
-      Object.entries(result).filter(([name]) => name in langPatterns)
-    );
+  // Fast path: no criteria means return all patterns
+  if (!criteria.language && !criteria.severity && !criteria.autoFix) {
+    return { ...slopPatterns };
   }
 
-  if (criteria.severity) {
-    const severityPatterns = getPatternsBySeverity(criteria.severity);
-    result = Object.fromEntries(
-      Object.entries(result).filter(([name]) => name in severityPatterns)
-    );
-  }
+  // Pre-fetch filter sets (O(1) Map lookups)
+  const langPatterns = criteria.language ? getPatternsForLanguage(criteria.language) : null;
+  const severityPatterns = criteria.severity ? getPatternsBySeverity(criteria.severity) : null;
+  const autoFixPatterns = criteria.autoFix ? getPatternsByAutoFix(criteria.autoFix) : null;
 
-  if (criteria.autoFix) {
-    const autoFixPatterns = getPatternsByAutoFix(criteria.autoFix);
-    result = Object.fromEntries(
-      Object.entries(result).filter(([name]) => name in autoFixPatterns)
-    );
+  // Single-pass filter: check all criteria at once
+  const result = {};
+  for (const [name, pattern] of Object.entries(slopPatterns)) {
+    // Check all criteria in one pass (short-circuit on first failure)
+    if (langPatterns && !(name in langPatterns)) continue;
+    if (severityPatterns && !(name in severityPatterns)) continue;
+    if (autoFixPatterns && !(name in autoFixPatterns)) continue;
+
+    result[name] = pattern;
   }
 
   return result;
@@ -609,7 +632,7 @@ function hasLanguage(language) {
 
 /**
  * Check if a file should be excluded based on pattern rules
- * Uses pre-compiled regex cache for performance
+ * Uses pre-compiled regex cache and result cache for performance
  * @param {string} filePath - File path to check
  * @param {Array<string>} excludePatterns - Exclude patterns
  * @returns {boolean} True if file should be excluded
@@ -617,10 +640,28 @@ function hasLanguage(language) {
 function isFileExcluded(filePath, excludePatterns) {
   if (!excludePatterns || excludePatterns.length === 0) return false;
 
-  return excludePatterns.some(pattern => {
+  // Create cache key using JSON.stringify for collision-resistant format
+  const cacheKey = JSON.stringify([filePath, excludePatterns]);
+
+  // Check cache first (O(1) lookup)
+  if (_excludeResultCache.has(cacheKey)) {
+    return _excludeResultCache.get(cacheKey);
+  }
+
+  // Compute result
+  const result = excludePatterns.some(pattern => {
     const regex = getCompiledPattern(pattern);
     return regex.test(filePath);
   });
+
+  // Store in cache with FIFO eviction
+  if (_excludeResultCache.size >= MAX_EXCLUDE_RESULT_CACHE_SIZE) {
+    const firstKey = _excludeResultCache.keys().next().value;
+    _excludeResultCache.delete(firstKey);
+  }
+  _excludeResultCache.set(cacheKey, result);
+
+  return result;
 }
 
 module.exports = {