codeprobe-scanner 1.0.15 → 1.0.16

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.15",
+  "version": "1.0.16",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {

package/src/cli/commands/scan-with-fix.ts

@@ -8,6 +8,10 @@ import { ProgressLogger } from '../progress.js';
 import { GitError, handleError } from '../errors.js';
 import { EXIT_CODES } from '../../shared/constants.js';
 
+function escapeShellArg(arg: string): string {
+  return `'${arg.replace(/'/g, "'\\''")}'`;
+}
+
 function checkGitRepo(): boolean {
   try {
     execSync('git rev-parse --git-dir', { encoding: 'utf-8', stdio: 'pipe' });
@@ -28,7 +32,7 @@ function isGitDirty(): boolean {
 
 function createBranch(name: string): void {
   try {
-    execSync(`git checkout -b ${name}`, { encoding: 'utf-8', stdio: 'pipe' });
+    execSync(`git checkout -b ${escapeShellArg(name)}`, { encoding: 'utf-8', stdio: 'pipe' });
   } catch {
     throw new GitError(`Failed to create branch: ${name}`);
   }
@@ -36,9 +40,15 @@ function createBranch(name: string): void {
 
 function commitAndPush(message: string, branchName: string): void {
   execSync('git add package.json', { encoding: 'utf-8', stdio: 'pipe' });
-  execSync(`git -c commit.gpgsign=false commit -m "${message}"`, { encoding: 'utf-8', stdio: 'pipe' });
+  execSync(`git -c commit.gpgsign=false commit -m ${escapeShellArg(message)}`, {
+    encoding: 'utf-8',
+    stdio: 'pipe',
+  });
   try {
-    execSync(`git push -u origin ${branchName}`, { encoding: 'utf-8', stdio: 'pipe' });
+    execSync(`git push -u origin ${escapeShellArg(branchName)}`, {
+      encoding: 'utf-8',
+      stdio: 'pipe',
+    });
   } catch {
     // Push failed — not fatal, user can push manually
   }

package/src/engine/index.ts

@@ -6,6 +6,7 @@ import { createPatcher } from "./patcher";
 import { createReportBuilder } from "./report";
 import { Report, ScanCVE } from "../shared/types";
 import { findAllPackageJsons } from "../shared/file-scanner";
+import { createSASTScanner, CodeVulnerability } from "./sast";
 
 export class CodeProbeEngine {
   private parser = createParser();
@@ -14,11 +15,19 @@ export class CodeProbeEngine {
   private matcher = createMatcher();
   private patcher = createPatcher();
   private reportBuilder = createReportBuilder();
+  private sastScanner = createSASTScanner();
 
   getVideoRecorder() {
     return this.sandbox.getVideoRecorder();
   }
 
+  async scanCodeVulnerabilities(rootPath: string): Promise<CodeVulnerability[]> {
+    console.log("🔐 Scanning source code for vulnerabilities...");
+    const vulnerabilities = await this.sastScanner.scanRepository(rootPath);
+    console.log(`   Found ${vulnerabilities.length} potential vulnerabilities`);
+    return vulnerabilities;
+  }
+
   async scanRecursive(rootPath: string): Promise<Report> {
     const startTime = Date.now();
 

package/src/engine/report.ts

@@ -1,6 +1,7 @@
 import { Scan, ScanCVE, Report } from "../shared/types";
 import { PATHS } from "../shared/constants";
 import dayjs from "dayjs";
+import { randomBytes } from "crypto";
 
 export class ReportBuilder {
   async buildReport(
@@ -66,7 +67,7 @@ export class ReportBuilder {
   }
 
   private generateScanId(): string {
-    return `scan_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+    return `scan_${Date.now()}_${randomBytes(6).toString('hex')}`;
   }
 
   formatForTerminal(report: Report): string {

package/src/engine/sast.ts

@@ -0,0 +1,274 @@
+import { readdir, readFile } from "fs/promises";
+import { join } from "path";
+
+export interface CodeVulnerability {
+  id: string;
+  file: string;
+  line: number;
+  severity: "CRITICAL" | "HIGH" | "MEDIUM" | "LOW";
+  type: string;
+  description: string;
+  code: string;
+  suggestion: string;
+}
+
+export class SASTScanner {
+  private vulnerabilities: CodeVulnerability[] = [];
+
+  async scanRepository(rootPath: string): Promise<CodeVulnerability[]> {
+    this.vulnerabilities = [];
+    await this.scanDirectory(rootPath);
+    return this.vulnerabilities;
+  }
+
+  private async scanDirectory(dirPath: string, depth: number = 0): Promise<void> {
+    if (depth > 5) return; // Prevent deep recursion
+
+    try {
+      const entries = await readdir(dirPath, { withFileTypes: true });
+
+      for (const entry of entries) {
+        if (entry.name.startsWith(".") || entry.name === "node_modules") continue;
+
+        const fullPath = join(dirPath, entry.name);
+
+        if (entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".js"))) {
+          await this.scanFile(fullPath);
+        } else if (entry.isDirectory()) {
+          await this.scanDirectory(fullPath, depth + 1);
+        }
+      }
+    } catch {
+      // Permission denied or other errors
+    }
+  }
+
+  private async scanFile(filePath: string): Promise<void> {
+    try {
+      const content = await readFile(filePath, "utf-8");
+      const lines = content.split("\n");
+
+      lines.forEach((line, index) => {
+        this.checkForHardcodedSecrets(line, filePath, index + 1);
+        this.checkForSQLInjection(line, filePath, index + 1);
+        this.checkForCommandInjection(line, filePath, index + 1);
+        this.checkForInsecureEval(line, filePath, index + 1);
+        this.checkForXSSVulnerabilities(line, filePath, index + 1);
+        this.checkForPathTraversal(line, filePath, index + 1);
+        this.checkForInsecureRandom(line, filePath, index + 1);
+      });
+    } catch {
+      // File read error
+    }
+  }
+
+  private checkForHardcodedSecrets(line: string, file: string, lineNum: number): void {
+    const secretPatterns = [
+      /(?:api_?key|apiKey|api_secret|secret)\s*[:=]\s*["'][^"']*["']/i,
+      /(?:password|passwd)\s*[:=]\s*["'][^"']*["']/i,
+      /(?:token|auth|bearer)\s*[:=]\s*["'][A-Za-z0-9_-]{20,}["']/i,
+      /(?:private_key|privateKey)\s*[:=]/i,
+      /(?:database_url|db_url|dburl)\s*[:=]\s*["'].*?(?:password|pwd)=/i,
+    ];
+
+    for (const pattern of secretPatterns) {
+      if (pattern.test(line)) {
+        this.addVulnerability({
+          id: `SECRET-${file}-${lineNum}`,
+          file,
+          line: lineNum,
+          severity: "CRITICAL",
+          type: "Hardcoded Secret",
+          description: "Hardcoded credentials or secrets detected in source code",
+          code: line.trim(),
+          suggestion:
+            "Move secrets to environment variables or use a secrets management tool like dotenv",
+        });
+        break;
+      }
+    }
+  }
+
+  private checkForSQLInjection(line: string, file: string, lineNum: number): void {
+    const sqlPatterns = [
+      /query\s*\(\s*[`'"]\s*SELECT.*?\$\{/i,
+      /execute\s*\(\s*[`'"]\s*SELECT.*?\$\{/i,
+      /sql\s*`\s*SELECT.*?\$\{/i,
+      /db\s*\.\s*query\s*\(\s*[`'"][^`'"]*\+/i,
+    ];
+
+    for (const pattern of sqlPatterns) {
+      if (pattern.test(line)) {
+        this.addVulnerability({
+          id: `SQL-${file}-${lineNum}`,
+          file,
+          line: lineNum,
+          severity: "CRITICAL",
+          type: "SQL Injection",
+          description: "Potential SQL injection vulnerability detected",
+          code: line.trim(),
+          suggestion:
+            "Use parameterized queries or prepared statements instead of string concatenation",
+        });
+        break;
+      }
+    }
+  }
+
+  private checkForCommandInjection(line: string, file: string, lineNum: number): void {
+    // Skip if using proper escaping functions
+    if (line.includes('escapeShellArg') || line.includes('quote') || line.includes('shellEscape')) {
+      return;
+    }
+
+    const cmdPatterns = [
+      /exec\s*\(\s*[`'"]\s*[^`'"]*\$\{[^}]*\}/i,
+      /execSync\s*\(\s*[`'"]\s*[^`'"]*\$\{[^}]*\}/i,
+      /spawn\s*\(\s*[`'"]\s*[^`'"]*\+/i,
+      /shell:\s*true/,
+    ];
+
+    for (const pattern of cmdPatterns) {
+      if (pattern.test(line)) {
+        this.addVulnerability({
+          id: `CMD-${file}-${lineNum}`,
+          file,
+          line: lineNum,
+          severity: "CRITICAL",
+          type: "Command Injection",
+          description: "Potential command injection vulnerability detected",
+          code: line.trim(),
+          suggestion:
+            "Avoid using shell=true and never pass user input to exec/spawn without sanitization",
+        });
+        break;
+      }
+    }
+  }
+
+  private checkForInsecureEval(line: string, file: string, lineNum: number): void {
+    // Skip if this is a comment or string literal describing the vulnerability
+    if (line.trim().startsWith("//") || line.trim().startsWith("*") || line.includes('description:') || line.includes('suggestion:')) {
+      return;
+    }
+
+    const evalPatterns = [
+      /\beval\s*\(/,
+      /new\s+Function\s*\(/,
+      /setTimeout\s*\(\s*["'`].*?["'`]/,
+      /setInterval\s*\(\s*["'`].*?["'`]/,
+    ];
+
+    for (const pattern of evalPatterns) {
+      if (pattern.test(line)) {
+        this.addVulnerability({
+          id: `EVAL-${file}-${lineNum}`,
+          file,
+          line: lineNum,
+          severity: "HIGH",
+          type: "Insecure Eval",
+          description: "Using eval() or Function() constructor with untrusted input is dangerous",
+          code: line.trim(),
+          suggestion: "Avoid eval() and Function() constructor. Use safer alternatives like JSON.parse()",
+        });
+        break;
+      }
+    }
+  }
+
+  private checkForXSSVulnerabilities(line: string, file: string, lineNum: number): void {
+    // Skip if this is a comment or string literal describing the vulnerability
+    if (line.trim().startsWith("//") || line.trim().startsWith("*") || line.includes('description:') || line.includes('suggestion:')) {
+      return;
+    }
+
+    const xssPatterns = [
+      /innerHTML\s*=\s*[^`'"]*\$\{/i,
+      /innerHTML\s*=\s*[^`'"]*\+/i,
+      /dangerouslySetInnerHTML\s*=\s*[^}]*}/,
+    ];
+
+    for (const pattern of xssPatterns) {
+      if (pattern.test(line)) {
+        this.addVulnerability({
+          id: `XSS-${file}-${lineNum}`,
+          file,
+          line: lineNum,
+          severity: "HIGH",
+          type: "Cross-Site Scripting (XSS)",
+          description: "Potential XSS vulnerability through innerHTML or dangerouslySetInnerHTML",
+          code: line.trim(),
+          suggestion:
+            "Use textContent instead of innerHTML, or sanitize user input before rendering. For React, use a library like DOMPurify",
+        });
+        break;
+      }
+    }
+  }
+
+  private checkForPathTraversal(line: string, file: string, lineNum: number): void {
+    const pathPatterns = [
+      /fs\.readFile\s*\(\s*[^,]*req\./i,
+      /path\.join\s*\(\s*[^,]*req\./i,
+      /fs\.readFileSync\s*\(\s*[^,]*req\./i,
+      /readFile\s*\(\s*\.\.\//,
+    ];
+
+    for (const pattern of pathPatterns) {
+      if (pattern.test(line)) {
+        this.addVulnerability({
+          id: `PATH-${file}-${lineNum}`,
+          file,
+          line: lineNum,
+          severity: "HIGH",
+          type: "Path Traversal",
+          description: "Potential path traversal vulnerability detected",
+          code: line.trim(),
+          suggestion:
+            "Validate and sanitize file paths. Use path.normalize() and ensure the path is within the allowed directory",
+        });
+        break;
+      }
+    }
+  }
+
+  private checkForInsecureRandom(line: string, file: string, lineNum: number): void {
+    // Skip if this is for timing delays (non-security critical)
+    if (
+      /[Tt]ime/.test(line) ||
+      line.includes('delay') ||
+      line.includes('timeout') ||
+      line.includes('* 1000') ||
+      line.includes('* 2000')
+    ) {
+      return;
+    }
+
+    // Skip if this is a comment or string literal
+    if (line.trim().startsWith("//") || line.trim().startsWith("*") || line.includes('description:') || line.includes('suggestion:')) {
+      return;
+    }
+
+    if (/Math\.random\s*\(\)/.test(line)) {
+      this.addVulnerability({
+        id: `RAND-${file}-${lineNum}`,
+        file,
+        line: lineNum,
+        severity: "MEDIUM",
+        type: "Insecure Random",
+        description: "Math.random() is not cryptographically secure",
+        code: line.trim(),
+        suggestion:
+          "Use crypto.getRandomBytes() or crypto.randomUUID() for security-sensitive operations",
+      });
+    }
+  }
+
+  private addVulnerability(vuln: CodeVulnerability): void {
+    if (!this.vulnerabilities.find((v) => v.id === vuln.id)) {
+      this.vulnerabilities.push(vuln);
+    }
+  }
+}
+
+export const createSASTScanner = () => new SASTScanner();

package/src/mcp/server.ts

@@ -2,6 +2,7 @@ import { createEngine } from "../engine/index.js";
 import { PATHS } from "../shared/constants.js";
 import { readFile } from "fs/promises";
 import path from "path";
+import { randomBytes } from "crypto";
 
 interface MCPRequest {
   jsonrpc: string;
@@ -25,7 +26,7 @@ async function handleToolCall(method: string, params?: Record<string, unknown>):
   switch (method) {
     case "scan_repository": {
       const repoUrl = params?.repo_url as string;
-      const scanId = `scan-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+      const scanId = `scan-${Date.now()}-${randomBytes(4).toString('hex')}`;
 
       activeScan.set(scanId, { status: "running", progress: 0 });
 

package/src/shared/utils.ts

@@ -1,4 +1,5 @@
 import chalk from 'chalk';
+import { randomBytes } from 'crypto';
 
 export function formatRiskScore(score: number): string {
   const level = getRiskLevel(score);
@@ -43,7 +44,7 @@ export function formatExploitable(exploitable: boolean): string {
 }
 
 export function generateScanId(): string {
-  return `scan_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+  return `scan_${Date.now()}_${randomBytes(6).toString('hex')}`;
 }
 
 export function bytesToHuman(bytes: number): string {