npm - circle-ir - Versions diffs - 3.80.0 → 3.82.0 - Mend

circle-ir 3.80.0 → 3.82.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/dist/analysis/passes/unrestricted-file-upload-pass.js ADDED Viewed

@@ -0,0 +1,193 @@
+/**
+ * Pass: unrestricted-file-upload (CWE-434, category: security)
+ *
+ * Detects when an HTTP-uploaded file is saved to disk WITHOUT a filename
+ * allow-list (extension check) or `secure_filename` normalization.
+ *
+ * Detection (per language):
+ *
+ *   Java (Spring MultipartFile / Servlet Part):
+ *     - `file.transferTo(new File(dir, file.getOriginalFilename()))`
+ *     - `Files.copy(part.getInputStream(), Path.of(dir, part.getSubmittedFileName()))`
+ *     - Without preceding `ALLOWED_*.contains(ext)` or
+ *       `FilenameUtils.getExtension(name)` + check.
+ *
+ *   JS/TS (multer / express-fileupload):
+ *     - `multer({ dest: '…' })` with NO `fileFilter` option.
+ *     - `fs.writeFile(path, req.file.buffer)` / `req.files.x.mv(path)`
+ *       without prior `path.extname` allow-list check.
+ *
+ *   Python (Flask / Django / FastAPI):
+ *     - `f.save(os.path.join(UPLOAD_DIR, f.filename))` without prior
+ *       `secure_filename(f.filename)` wrapping.
+ *
+ *   Go:
+ *     - `io.Copy(dst, file)` where `dst = os.Create(fileHeader.Filename)`
+ *       without an extension allow-list.
+ *
+ * The pass is intentionally conservative — it only fires when an upload-name
+ * expression flows directly into a save sink in the same function and no
+ * known allow-list / canonicalizer call appears earlier in the function.
+ */
+/** Receivers / expressions that look like an uploaded file value. */
+const UPLOAD_NAME_RE = /(?:getOriginalFilename|getSubmittedFileName|originalname|originalName|\.filename|\.Filename|FileHeader\.Filename|UploadFile)/;
+/** Identifier-level allow-list / canonicalization calls that defang upload paths. */
+const FILE_SAFE_CALL_RE = /(?:secure_filename|FilenameUtils\.getExtension|\.lastIndexOf\(['"]\.['"]\)|ALLOWED_EXT|ALLOWED_EXTENSIONS|allowedExtensions|\bfileFilter\b|filepath\.Ext|path\.extname)/;
+function lineWindow(code, startLine, endLine) {
+    const lines = code.split('\n');
+    const s = Math.max(0, startLine - 1);
+    const e = Math.min(lines.length, endLine);
+    return lines.slice(s, e).join('\n');
+}
+function callHasUploadName(call) {
+    for (const a of call.arguments) {
+        const expr = (a.expression ?? a.variable ?? '').trim();
+        if (UPLOAD_NAME_RE.test(expr))
+            return true;
+    }
+    // Receiver too (e.g. multipart `file.transferTo(...)`).
+    if (UPLOAD_NAME_RE.test(call.receiver ?? ''))
+        return true;
+    return false;
+}
+export class UnrestrictedFileUploadPass {
+    name = 'unrestricted-file-upload';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        // Build per-function safety windows: a function is "safe" if its body
+        // contains any FILE_SAFE_CALL_RE marker. Used to suppress findings inside
+        // that scope.
+        const safeFunctionRanges = [];
+        for (const t of graph.ir.types) {
+            for (const m of t.methods) {
+                const body = lineWindow(code, m.start_line, m.end_line);
+                if (FILE_SAFE_CALL_RE.test(body)) {
+                    safeFunctionRanges.push({ start: m.start_line, end: m.end_line });
+                }
+            }
+        }
+        const inSafeRange = (line) => {
+            for (const r of safeFunctionRanges) {
+                if (line >= r.start && line <= r.end)
+                    return true;
+            }
+            // No method information — fall back to a ±20-line window around the call.
+            const win = lineWindow(code, Math.max(1, line - 20), line + 5);
+            return FILE_SAFE_CALL_RE.test(win);
+        };
+        // --- Per-language detection -----------------------------------------------
+        if (language === 'java') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                // file.transferTo(...)
+                if (m === 'transferTo' && callHasUploadName(call)) {
+                    if (inSafeRange(call.location.line))
+                        continue;
+                    this.emit(ctx, findings, file, call.location.line, language, 'MultipartFile.transferTo(<original filename>)');
+                    continue;
+                }
+                // Files.copy(getInputStream, Path.of(dir, getOriginalFilename))
+                if (m === 'copy' && (call.receiver === 'Files' || (call.receiver ?? '').endsWith('.Files'))) {
+                    if (callHasUploadName(call)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, 'Files.copy(input, Path.of(dir, <original filename>))');
+                    }
+                }
+            }
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                const rec = call.receiver ?? '';
+                // multer({ dest: '...' }) — flag if same call object lacks fileFilter.
+                if (m === 'multer' || (rec === '' && m === 'multer')) {
+                    const arg0 = call.arguments.find((a) => a.position === 0);
+                    const expr = (arg0?.expression ?? '').trim();
+                    if (/\bdest\s*:/.test(expr) && !/\bfileFilter\s*:/.test(expr)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, 'multer({ dest }) without fileFilter');
+                        continue;
+                    }
+                }
+                // fs.writeFile(<path>, req.file.buffer) / req.files.x.mv(<path>)
+                if (rec === 'fs' && (m === 'writeFile' || m === 'writeFileSync' || m === 'appendFile')) {
+                    if (callHasUploadName(call) ||
+                        call.arguments.some((a) => /\breq\.file(?:s)?\b/.test((a.expression ?? a.variable ?? '')))) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, `fs.${m}(<path>, req.file.buffer)`);
+                    }
+                }
+            }
+        }
+        if (language === 'python') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                // f.save(os.path.join(UPLOAD_DIR, f.filename))
+                if (m === 'save') {
+                    const rec = call.receiver ?? '';
+                    // Accept any receiver that looks file-ish or empty (`f.save`, `file.save`).
+                    if (!/^(f|file|upload|attachment)$/i.test(rec) && rec !== '')
+                        continue;
+                    if (!callHasUploadName(call))
+                        continue;
+                    if (inSafeRange(call.location.line))
+                        continue;
+                    this.emit(ctx, findings, file, call.location.line, language, 'f.save(<dir>, f.filename) without secure_filename');
+                }
+            }
+        }
+        if (language === 'go') {
+            for (const call of graph.ir.calls) {
+                const m = call.method_name ?? '';
+                const rec = call.receiver ?? '';
+                // os.Create(header.Filename)
+                if (rec === 'os' && (m === 'Create' || m === 'OpenFile')) {
+                    if (callHasUploadName(call)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, `os.${m}(<uploaded filename>)`);
+                    }
+                }
+                // ioutil.WriteFile(header.Filename, …)
+                if ((rec === 'os' || rec === 'ioutil') && m === 'WriteFile') {
+                    if (callHasUploadName(call)) {
+                        if (inSafeRange(call.location.line))
+                            continue;
+                        this.emit(ctx, findings, file, call.location.line, language, `${rec}.WriteFile(<uploaded filename>, …)`);
+                    }
+                }
+            }
+        }
+        return { findings };
+    }
+    emit(ctx, findings, file, line, language, api) {
+        findings.push({ line, api, language });
+        ctx.addFinding({
+            id: `${this.name}-${file}-${line}`,
+            pass: this.name,
+            category: this.category,
+            rule_id: this.name,
+            cwe: 'CWE-434',
+            severity: 'high',
+            level: 'error',
+            message: `File upload saved using untrusted name (${api}) — no extension allow-list or ` +
+                'filename canonicalization detected. An attacker can upload a `.jsp`/`.php`/`.html` ' +
+                'file and request it back, achieving RCE or stored XSS.',
+            file,
+            line,
+            fix: 'Validate the uploaded extension against an allow-list (e.g. ' +
+                '`Set.of("png","jpg")`), then save with a sanitized filename. In Python use ' +
+                '`werkzeug.utils.secure_filename`. In multer pass a `fileFilter`. Never ' +
+                'concatenate the upload\'s original filename into a save path without ' +
+                'validation.',
+            evidence: { api, language },
+        });
+    }
+}
+//# sourceMappingURL=unrestricted-file-upload-pass.js.map

package/dist/analysis/passes/unrestricted-file-upload-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"unrestricted-file-upload-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/unrestricted-file-upload-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AASH,qEAAqE;AACrE,MAAM,cAAc,GAClB,8HAA8H,CAAC;AAEjI,qFAAqF;AACrF,MAAM,iBAAiB,GACrB,yKAAyK,CAAC;AAE5K,SAAS,UAAU,CAAC,IAAY,EAAE,SAAiB,EAAE,OAAe;IAClE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,GAAG,CAAC,CAAC,CAAC;IACrC,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACtC,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAc;IACvC,KAAK,MAAM,CAAC,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACvD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7C,CAAC;IACD,wDAAwD;IACxD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1D,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,OAAO,0BAA0B;IAC5B,IAAI,GAAG,0BAA0B,CAAC;IAClC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA6C,EAAE,CAAC;QAE9D,sEAAsE;QACtE,0EAA0E;QAC1E,cAAc;QACd,MAAM,kBAAkB,GAA0C,EAAE,CAAC;QACrE,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAC/B,KAAK,MAAM,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;gBAC1B,MAAM,IAAI,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC;gBACxD,IAAI,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACjC,kBAAkB,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;gBACpE,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,CAAC,IAAY,EAAW,EAAE;YAC5C,KAAK,MAAM,CAAC,IAAI,kBAAkB,EAAE,CAAC;gBACnC,IAAI,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,CAAC,GAAG;oBAAE,OAAO,IAAI,CAAC;YACpD,CAAC;YACD,0EAA0E;YAC1E,MAAM,GAAG,GAAG,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,EAAE,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;YAC/D,OAAO,iBAAiB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrC,CAAC,CAAC;QAEF,6EAA6E;QAE7E,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,uBAAuB;gBACvB,IAAI,CAAC,KAAK,YAAY,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;oBAClD,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,+CAA+C,CAAC,CAAC;oBAC3D,SAAS;gBACX,CAAC;gBACD,gEAAgE;gBAChE,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;oBAC5F,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,sDAAsD,CAAC,CAAC;oBACpE,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAEhC,uEAAuE;gBACvE,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,GAAG,KAAK,EAAE,IAAI,CAAC,KAAK,QAAQ,CAAC,EAAE,CAAC;oBACrD,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;oBAC1D,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC9D,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,qCAAqC,CAAC,CAAC;wBACjD,SAAS;oBACX,CAAC;gBACH,CAAC;gBAED,iEAAiE;gBACjE,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,eAAe,IAAI,CAAC,KAAK,YAAY,CAAC,EAAE,CAAC;oBACvF,IAAI,iBAAiB,CAAC,IAAI,CAAC;wBACvB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;wBAC/F,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,MAAM,CAAC,2BAA2B,CAAC,CAAC;oBAChD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,+CAA+C;gBAC/C,IAAI,CAAC,KAAK,MAAM,EAAE,CAAC;oBACjB,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;oBAChC,4EAA4E;oBAC5E,IAAI,CAAC,+BAA+B,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,GAAG,KAAK,EAAE;wBAAE,SAAS;oBACvE,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC;wBAAE,SAAS;oBACvC,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAAE,SAAS;oBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,mDAAmD,CAAC,CAAC;gBACjE,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;gBAClC,MAAM,CAAC,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;gBACjC,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;gBAChC,6BAA6B;gBAC7B,IAAI,GAAG,KAAK,IAAI,IAAI,CAAC,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,UAAU,CAAC,EAAE,CAAC;oBACzD,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,MAAM,CAAC,uBAAuB,CAAC,CAAC;oBAC5C,CAAC;gBACH,CAAC;gBACD,uCAAuC;gBACvC,IAAI,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,QAAQ,CAAC,IAAI,CAAC,KAAK,WAAW,EAAE,CAAC;oBAC5D,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;wBAC5B,IAAI,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;4BAAE,SAAS;wBAC9C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,EACjD,GAAG,GAAG,oCAAoC,CAAC,CAAC;oBACxD,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,IAAI,CACV,GAAgB,EAChB,QAAkD,EAClD,IAAY,EACZ,IAAY,EACZ,QAAgB,EAChB,GAAW;QAEX,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC,CAAC;QACvC,GAAG,CAAC,UAAU,CAAC;YACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;YAClC,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,IAAI;YAClB,GAAG,EAAE,SAAS;YACd,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,OAAO;YACd,OAAO,EACL,2CAA2C,GAAG,iCAAiC;gBAC/E,qFAAqF;gBACrF,wDAAwD;YAC1D,IAAI;YACJ,IAAI;YACJ,GAAG,EACD,8DAA8D;gBAC9D,6EAA6E;gBAC7E,yEAAyE;gBACzE,uEAAuE;gBACvE,aAAa;YACf,QAAQ,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE;SAC5B,CAAC,CAAC;IACL,CAAC;CACF"}

package/dist/analysis/passes/weak-password-encoding-pass.d.ts ADDED Viewed

@@ -0,0 +1,40 @@
+/**
+ * Pass: weak-password-encoding (CWE-261, category: security)
+ *
+ * Detects use of an encoding (base64 / hex) on a credential-named identifier.
+ * Encoding is NOT encryption — base64-encoding a password before storing or
+ * transmitting it provides no confidentiality. Common anti-pattern.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `base64.b64encode(password)` / `.urlsafe_b64encode(...)`
+ *     - `binascii.hexlify(password)`
+ *   JS/TS:
+ *     - `Buffer.from(password).toString('base64')` / `.toString('hex')`
+ *     - `btoa(password)`
+ *   Java:
+ *     - `Base64.getEncoder().encodeToString(passwordBytes)`
+ *     - `Base64.getUrlEncoder().encodeToString(...)`
+ *     - `Hex.encodeHexString(passwordBytes)`
+ *   Go:
+ *     - `base64.StdEncoding.EncodeToString(passwordBytes)`
+ *     - `hex.EncodeToString(...)`
+ *
+ * FP-guard: skip when the encoded value is part of an HTTP Basic auth
+ * header construction (`"Basic " + base64(...)`) — that IS the spec.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface WeakPasswordEncodingResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        api: string;
+    }>;
+}
+export declare class WeakPasswordEncodingPass implements AnalysisPass<WeakPasswordEncodingResult> {
+    readonly name = "weak-password-encoding";
+    readonly category: "security";
+    run(ctx: PassContext): WeakPasswordEncodingResult;
+    private detect;
+}
+//# sourceMappingURL=weak-password-encoding-pass.d.ts.map

package/dist/analysis/passes/weak-password-encoding-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"weak-password-encoding-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-password-encoding-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAO9E,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAcD,qBAAa,wBAAyB,YAAW,YAAY,CAAC,0BAA0B,CAAC;IACvF,QAAQ,CAAC,IAAI,4BAA4B;IACzC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,0BAA0B;IAoCjD,OAAO,CAAC,MAAM;CAsFf"}

package/dist/analysis/passes/weak-password-encoding-pass.js ADDED Viewed

@@ -0,0 +1,157 @@
+/**
+ * Pass: weak-password-encoding (CWE-261, category: security)
+ *
+ * Detects use of an encoding (base64 / hex) on a credential-named identifier.
+ * Encoding is NOT encryption — base64-encoding a password before storing or
+ * transmitting it provides no confidentiality. Common anti-pattern.
+ *
+ * Detection per language:
+ *   Python:
+ *     - `base64.b64encode(password)` / `.urlsafe_b64encode(...)`
+ *     - `binascii.hexlify(password)`
+ *   JS/TS:
+ *     - `Buffer.from(password).toString('base64')` / `.toString('hex')`
+ *     - `btoa(password)`
+ *   Java:
+ *     - `Base64.getEncoder().encodeToString(passwordBytes)`
+ *     - `Base64.getUrlEncoder().encodeToString(...)`
+ *     - `Hex.encodeHexString(passwordBytes)`
+ *   Go:
+ *     - `base64.StdEncoding.EncodeToString(passwordBytes)`
+ *     - `hex.EncodeToString(...)`
+ *
+ * FP-guard: skip when the encoded value is part of an HTTP Basic auth
+ * header construction (`"Basic " + base64(...)`) — that IS the spec.
+ */
+import { argLooksLikeCredential, literalAt, } from './_credential-helpers.js';
+function isBasicAuthContext(call, code) {
+    // Look at the source line for "Basic " literal nearby — heuristic
+    // for HTTP Basic auth construction where base64 is part of the spec.
+    const line = call.location.line;
+    if (line < 1)
+        return false;
+    const lines = code.split('\n');
+    const start = Math.max(0, line - 2);
+    const end = Math.min(lines.length, line + 1);
+    const window = lines.slice(start, end).join('\n');
+    return /["'`]Basic\s/i.test(window);
+}
+export class WeakPasswordEncodingPass {
+    name = 'weak-password-encoding';
+    category = 'security';
+    run(ctx) {
+        const { graph, language, code } = ctx;
+        const file = graph.ir.meta.file;
+        const findings = [];
+        for (const call of graph.ir.calls) {
+            const api = this.detect(call, language);
+            if (!api)
+                continue;
+            if (isBasicAuthContext(call, code))
+                continue;
+            const line = call.location.line;
+            findings.push({ line, language, api });
+            ctx.addFinding({
+                id: `${this.name}-${file}-${line}`,
+                pass: this.name,
+                category: this.category,
+                rule_id: this.name,
+                cwe: 'CWE-261',
+                severity: 'medium',
+                level: 'warning',
+                message: `Credential encoded via \`${api}\` — encoding is NOT encryption. ` +
+                    'Base64/hex provide no confidentiality; anyone with the encoded value can decode it.',
+                file,
+                line,
+                fix: 'For storage, use a password hash (Argon2id / bcrypt). ' +
+                    'For transport, use TLS. For symmetric secrecy, use authenticated encryption (AES-GCM).',
+                evidence: { api, language },
+            });
+        }
+        return { findings };
+    }
+    detect(call, language) {
+        const method = call.method_name ?? '';
+        const receiver = call.receiver ?? '';
+        const recvLower = receiver.toLowerCase();
+        const arg0 = call.arguments.find((a) => a.position === 0);
+        if (language === 'python') {
+            // base64.b64encode(password)
+            if (recvLower === 'base64' &&
+                (method === 'b64encode' || method === 'urlsafe_b64encode' ||
+                    method === 'standard_b64encode')) {
+                if (argLooksLikeCredential(arg0))
+                    return `base64.${method}`;
+            }
+            // binascii.hexlify(password)
+            if (recvLower === 'binascii' && method === 'hexlify') {
+                if (argLooksLikeCredential(arg0))
+                    return 'binascii.hexlify';
+            }
+        }
+        if (language === 'javascript' || language === 'typescript') {
+            // Buffer.from(password).toString('base64')
+            if (method === 'toString') {
+                const encoding = literalAt(call, 0);
+                if (encoding === 'base64' || encoding === 'hex' || encoding === 'base64url') {
+                    // Receiver expression should look like `Buffer.from(<credential>)`.
+                    // Conservative: check if receiver text contains "Buffer.from" and a
+                    // credential keyword.
+                    const recv = (receiver ?? '').toLowerCase();
+                    if (recv.includes('buffer.from') &&
+                        /(?:password|passwd|pwd|secret|api[_-]?key|auth[_-]?token|private[_-]?key|access[_-]?key|credential)/i
+                            .test(receiver ?? '')) {
+                        return `Buffer.from().toString('${encoding}')`;
+                    }
+                }
+            }
+            // btoa(password)
+            if (method === 'btoa' && receiver === '') {
+                if (argLooksLikeCredential(arg0))
+                    return 'btoa';
+            }
+        }
+        if (language === 'java') {
+            // Base64.getEncoder().encodeToString(passwordBytes)
+            // Or Base64.getUrlEncoder().encodeToString(...).
+            if (method === 'encodeToString') {
+                const recv = (receiver ?? '').toLowerCase();
+                if (recv.includes('encoder') || recv.includes('base64')) {
+                    // arg[0] expr typically looks like `password.getBytes()`.
+                    const expr = (arg0?.expression ?? '').trim();
+                    const head = expr.split(/[.\s(]/, 1)[0] ?? '';
+                    if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+                        return 'Base64.encodeToString';
+                    }
+                }
+            }
+            // Hex.encodeHexString(passwordBytes)
+            if (method === 'encodeHexString' &&
+                (receiver === 'Hex' || receiver.endsWith('.Hex'))) {
+                const expr = (arg0?.expression ?? '').trim();
+                const head = expr.split(/[.\s(]/, 1)[0] ?? '';
+                if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+                    return 'Hex.encodeHexString';
+                }
+            }
+        }
+        if (language === 'go') {
+            // base64.StdEncoding.EncodeToString(passwordBytes)
+            if (method === 'EncodeToString') {
+                const recv = (receiver ?? '').toLowerCase();
+                if (recv.includes('base64') || recv.includes('hex') ||
+                    recv.includes('encoding')) {
+                    const expr = (arg0?.expression ?? '').trim();
+                    // Strip `[]byte(...)` wrapper.
+                    const inner = expr.replace(/^\[\]byte\s*\(\s*/, '').replace(/\s*\)\s*$/, '');
+                    const head = inner.split(/[.\s(]/, 1)[0] ?? '';
+                    if (argLooksLikeCredential({ position: 0, expression: head, variable: head })) {
+                        return recv.includes('hex') ? 'hex.EncodeToString' : 'base64.EncodeToString';
+                    }
+                }
+            }
+        }
+        return null;
+    }
+}
+//# sourceMappingURL=weak-password-encoding-pass.js.map

package/dist/analysis/passes/weak-password-encoding-pass.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"weak-password-encoding-pass.js","sourceRoot":"","sources":["../../../src/analysis/passes/weak-password-encoding-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAIH,OAAO,EACL,sBAAsB,EACtB,SAAS,GACV,MAAM,0BAA0B,CAAC;AAUlC,SAAS,kBAAkB,CAAC,IAAc,EAAE,IAAY;IACtD,kEAAkE;IAClE,qEAAqE;IACrE,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;IAChC,IAAI,IAAI,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,GAAG,CAAC,CAAC,CAAC;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClD,OAAO,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,OAAO,wBAAwB;IAC1B,IAAI,GAAG,wBAAwB,CAAC;IAChC,QAAQ,GAAG,UAAmB,CAAC;IAExC,GAAG,CAAC,GAAgB;QAClB,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,GAAG,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC;QAChC,MAAM,QAAQ,GAA2C,EAAE,CAAC;QAE5D,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;YACxC,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,IAAI,kBAAkB,CAAC,IAAI,EAAE,IAAI,CAAC;gBAAE,SAAS;YAE7C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;YAEvC,GAAG,CAAC,UAAU,CAAC;gBACb,EAAE,EAAE,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,IAAI,IAAI,EAAE;gBAClC,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,QAAQ,EAAE,IAAI,CAAC,QAAQ;gBACvB,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,GAAG,EAAE,SAAS;gBACd,QAAQ,EAAE,QAAQ;gBAClB,KAAK,EAAE,SAAS;gBAChB,OAAO,EACL,4BAA4B,GAAG,mCAAmC;oBAClE,qFAAqF;gBACvF,IAAI;gBACJ,IAAI;gBACJ,GAAG,EACD,wDAAwD;oBACxD,wFAAwF;gBAC1F,QAAQ,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE;aAC5B,CAAC,CAAC;QACL,CAAC;QAED,OAAO,EAAE,QAAQ,EAAE,CAAC;IACtB,CAAC;IAEO,MAAM,CAAC,IAAc,EAAE,QAAgB;QAC7C,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;QAEzC,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC;QAE1D,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,6BAA6B;YAC7B,IAAI,SAAS,KAAK,QAAQ;gBACtB,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,KAAK,mBAAmB;oBACxD,MAAM,KAAK,oBAAoB,CAAC,EAAE,CAAC;gBACtC,IAAI,sBAAsB,CAAC,IAAI,CAAC;oBAAE,OAAO,UAAU,MAAM,EAAE,CAAC;YAC9D,CAAC;YACD,6BAA6B;YAC7B,IAAI,SAAS,KAAK,UAAU,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACrD,IAAI,sBAAsB,CAAC,IAAI,CAAC;oBAAE,OAAO,kBAAkB,CAAC;YAC9D,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,YAAY,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC3D,2CAA2C;YAC3C,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;gBAC1B,MAAM,QAAQ,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBACpC,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;oBAC5E,oEAAoE;oBACpE,oEAAoE;oBACpE,sBAAsB;oBACtB,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;oBAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC;wBAC5B,sGAAsG;6BACnG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC5B,OAAO,2BAA2B,QAAQ,IAAI,CAAC;oBACjD,CAAC;gBACH,CAAC;YACH,CAAC;YACD,iBAAiB;YACjB,IAAI,MAAM,KAAK,MAAM,IAAI,QAAQ,KAAK,EAAE,EAAE,CAAC;gBACzC,IAAI,sBAAsB,CAAC,IAAI,CAAC;oBAAE,OAAO,MAAM,CAAC;YAClD,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YACxB,oDAAoD;YACpD,iDAAiD;YACjD,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;oBACxD,0DAA0D;oBAC1D,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC9C,IAAI,sBAAsB,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC9E,OAAO,uBAAuB,CAAC;oBACjC,CAAC;gBACH,CAAC;YACH,CAAC;YACD,qCAAqC;YACrC,IAAI,MAAM,KAAK,iBAAiB;gBAC5B,CAAC,QAAQ,KAAK,KAAK,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC9C,IAAI,sBAAsB,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;oBAC9E,OAAO,qBAAqB,CAAC;gBAC/B,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YACtB,mDAAmD;YACnD,IAAI,MAAM,KAAK,gBAAgB,EAAE,CAAC;gBAChC,MAAM,IAAI,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC5C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC/C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC9B,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC7C,+BAA+B;oBAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;oBAC7E,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC/C,IAAI,sBAAsB,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;wBAC9E,OAAO,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,uBAAuB,CAAC;oBAC/E,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF"}

package/dist/analysis/passes/weak-password-hash-pass.d.ts ADDED Viewed

@@ -0,0 +1,49 @@
+/**
+ * Pass: weak-password-hash (CWE-916, category: security)
+ *
+ * Detects use of a fast / unsalted hash, or a KDF with insufficient
+ * computational cost, applied to a credential-named identifier.
+ *
+ * Distinct from `weak-hash` (CWE-328):
+ *   - `weak-hash` flags broken algorithms (MD2/MD4/MD5/SHA-1) at any call site.
+ *   - `weak-password-hash` flags algorithm/cost choices that are SAFE for
+ *     general digests but UNSAFE for password storage (e.g. plain SHA-256
+ *     of a password, bcrypt cost < 10, PBKDF2 iterations < 100k).
+ *
+ * Detection per language:
+ *   Python:
+ *     - `hashlib.sha256(password)` / `.sha512(...)` / etc. where the
+ *       argument is a credential-named identifier.
+ *     - `bcrypt.hashpw(pw, bcrypt.gensalt(rounds=N))` where N < 10.
+ *     - `PBKDF2HMAC(..., iterations=N).derive(pw)` where N < 100000.
+ *   JS/TS:
+ *     - `crypto.createHash('sha256').update(password).digest()`.
+ *     - `bcrypt.hash(pw, N)` / `bcrypt.hashSync(pw, N)` where N < 10.
+ *     - `crypto.pbkdf2Sync(pw, salt, N, ...)` where N < 100000.
+ *   Java:
+ *     - `MessageDigest.getInstance("SHA-256")` followed by `.update(pw)` —
+ *       conservative: detect `MessageDigest.getInstance` + `.update(credIdent)`
+ *       on any non-broken algorithm. (Broken algos already flagged by weak-hash.)
+ *     - `PBEKeySpec(pw, salt, N, ...)` where N < 100000.
+ *   Go:
+ *     - `sha256.Sum256([]byte(password))`, `sha512.Sum512([]byte(password))`.
+ *     - `bcrypt.GenerateFromPassword(pw, cost)` where cost < 10.
+ *
+ * Aligned with: OWASP ASVS 2.4.1, NIST SP 800-63B §5.1.1.2, gosec G401-style.
+ */
+import type { AnalysisPass, PassContext } from '../../graph/analysis-pass.js';
+export interface WeakPasswordHashResult {
+    findings: Array<{
+        line: number;
+        language: string;
+        kind: 'fast-unsalted-hash' | 'low-bcrypt-cost' | 'low-pbkdf2-iterations';
+        api: string;
+    }>;
+}
+export declare class WeakPasswordHashPass implements AnalysisPass<WeakPasswordHashResult> {
+    readonly name = "weak-password-hash";
+    readonly category: "security";
+    run(ctx: PassContext): WeakPasswordHashResult;
+    private detect;
+}
+//# sourceMappingURL=weak-password-hash-pass.d.ts.map

package/dist/analysis/passes/weak-password-hash-pass.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"weak-password-hash-pass.d.ts","sourceRoot":"","sources":["../../../src/analysis/passes/weak-password-hash-pass.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,8BAA8B,CAAC;AAmB9E,MAAM,WAAW,sBAAsB;IACrC,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,oBAAoB,GAAG,iBAAiB,GAAG,uBAAuB,CAAC;QACzE,GAAG,EAAE,MAAM,CAAC;KACb,CAAC,CAAC;CACJ;AAsBD,qBAAa,oBAAqB,YAAW,YAAY,CAAC,sBAAsB,CAAC;IAC/E,QAAQ,CAAC,IAAI,wBAAwB;IACrC,QAAQ,CAAC,QAAQ,EAAG,UAAU,CAAU;IAExC,GAAG,CAAC,GAAG,EAAE,WAAW,GAAG,sBAAsB;IA0C7C,OAAO,CAAC,MAAM;CAyIf"}