codeslick-cli 1.0.0 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +66 -23
- package/dist/packages/cli/src/commands/init.d.ts.map +1 -1
- package/dist/packages/cli/src/commands/init.js +6 -4
- package/dist/packages/cli/src/commands/init.js.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +1 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +55 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +25 -5
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +2 -1
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +54 -1
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +30 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +47 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -1
- package/package.json +3 -3
- package/src/commands/init.ts +6 -4
package/README.md
CHANGED
|
@@ -17,7 +17,23 @@ Catch security vulnerabilities before they enter your codebase with automated pr
|
|
|
17
17
|
|
|
18
18
|
## Installation
|
|
19
19
|
|
|
20
|
-
###
|
|
20
|
+
### Option 1: Use `npx` (Recommended - No Installation Required)
|
|
21
|
+
|
|
22
|
+
Run CodeSlick directly without installation:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
npx codeslick-cli --help
|
|
26
|
+
npx codeslick-cli init
|
|
27
|
+
npx codeslick-cli scan
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
**Benefits:**
|
|
31
|
+
- ✅ No permission issues
|
|
32
|
+
- ✅ Always runs latest version
|
|
33
|
+
- ✅ Works on all systems
|
|
34
|
+
- ✅ No global pollution
|
|
35
|
+
|
|
36
|
+
### Option 2: Global Installation
|
|
21
37
|
|
|
22
38
|
```bash
|
|
23
39
|
npm install -g codeslick-cli
|
|
@@ -33,10 +49,13 @@ cs --version
|
|
|
33
49
|
|
|
34
50
|
Both commands work identically. Use `cs` for faster typing!
|
|
35
51
|
|
|
36
|
-
|
|
52
|
+
**Note:** On macOS/Linux, you may encounter permission errors. See [Troubleshooting](#eacces-permission-denied-error-on-macoslinux) for solutions.
|
|
53
|
+
|
|
54
|
+
### Option 3: Local Installation (Per Project)
|
|
37
55
|
|
|
38
56
|
```bash
|
|
39
57
|
npm install --save-dev codeslick-cli
|
|
58
|
+
npx codeslick-cli init
|
|
40
59
|
```
|
|
41
60
|
|
|
42
61
|
## Quick Start
|
|
@@ -45,9 +64,9 @@ npm install --save-dev codeslick-cli
|
|
|
45
64
|
|
|
46
65
|
```bash
|
|
47
66
|
cd your-project/
|
|
48
|
-
codeslick init
|
|
49
|
-
# or
|
|
50
|
-
cs init
|
|
67
|
+
npx codeslick-cli init
|
|
68
|
+
# or if you installed globally:
|
|
69
|
+
codeslick init # or: cs init
|
|
51
70
|
```
|
|
52
71
|
|
|
53
72
|
This will:
|
|
@@ -153,7 +172,7 @@ codeslick config set languages js,ts,py # Enable only JS, TS, Python
|
|
|
153
172
|
|
|
154
173
|
## Command Aliases
|
|
155
174
|
|
|
156
|
-
|
|
175
|
+
**If installed globally**, you can use the shorter `cs` alias:
|
|
157
176
|
|
|
158
177
|
| Long Command | Short Alias | Description |
|
|
159
178
|
|--------------|-------------|-------------|
|
|
@@ -164,20 +183,17 @@ For faster typing, use `cs` instead of `codeslick`:
|
|
|
164
183
|
| `codeslick --help` | `cs --help` | Show help |
|
|
165
184
|
| `codeslick --version` | `cs --version` | Show version |
|
|
166
185
|
|
|
167
|
-
**Examples:**
|
|
186
|
+
**Examples (global installation only):**
|
|
168
187
|
```bash
|
|
169
|
-
#
|
|
188
|
+
# These only work after global installation:
|
|
170
189
|
codeslick scan --staged
|
|
171
190
|
cs scan --staged
|
|
172
191
|
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
codeslick init --force
|
|
177
|
-
cs init --force
|
|
192
|
+
# If using npx, use:
|
|
193
|
+
npx codeslick-cli scan --staged
|
|
178
194
|
```
|
|
179
195
|
|
|
180
|
-
|
|
196
|
+
**Note**: The `codeslick` and `cs` commands only work after global installation. If using `npx`, always use `npx codeslick-cli <command>`.
|
|
181
197
|
|
|
182
198
|
## Configuration
|
|
183
199
|
|
|
@@ -271,8 +287,7 @@ jobs:
|
|
|
271
287
|
- uses: actions/setup-node@v3
|
|
272
288
|
with:
|
|
273
289
|
node-version: 18
|
|
274
|
-
- run:
|
|
275
|
-
- run: codeslick scan --json > results.json
|
|
290
|
+
- run: npx codeslick-cli scan --json > results.json
|
|
276
291
|
- uses: actions/upload-artifact@v3
|
|
277
292
|
if: always()
|
|
278
293
|
with:
|
|
@@ -286,8 +301,7 @@ jobs:
|
|
|
286
301
|
codeslick:
|
|
287
302
|
image: node:18
|
|
288
303
|
script:
|
|
289
|
-
-
|
|
290
|
-
- codeslick scan --json > results.json
|
|
304
|
+
- npx codeslick-cli scan --json > results.json
|
|
291
305
|
artifacts:
|
|
292
306
|
when: always
|
|
293
307
|
paths:
|
|
@@ -302,8 +316,7 @@ pipeline {
|
|
|
302
316
|
stages {
|
|
303
317
|
stage('Security Scan') {
|
|
304
318
|
steps {
|
|
305
|
-
sh '
|
|
306
|
-
sh 'codeslick scan --json > results.json'
|
|
319
|
+
sh 'npx codeslick-cli scan --json > results.json'
|
|
307
320
|
}
|
|
308
321
|
}
|
|
309
322
|
}
|
|
@@ -367,19 +380,49 @@ chmod +x .git/hooks/pre-commit
|
|
|
367
380
|
codeslick init --force
|
|
368
381
|
```
|
|
369
382
|
|
|
383
|
+
### "EACCES: permission denied" error on macOS/Linux
|
|
384
|
+
|
|
385
|
+
**Problem**: Permission denied when installing globally:
|
|
386
|
+
```bash
|
|
387
|
+
npm error code EACCES
|
|
388
|
+
npm error syscall mkdir
|
|
389
|
+
npm error path /usr/local/lib/node_modules/codeslick-cli
|
|
390
|
+
```
|
|
391
|
+
|
|
392
|
+
**✅ Solution 1 - Use `npx` (Recommended - No installation needed)**:
|
|
393
|
+
```bash
|
|
394
|
+
npx codeslick-cli --help
|
|
395
|
+
npx codeslick-cli init
|
|
396
|
+
npx codeslick-cli scan
|
|
397
|
+
```
|
|
398
|
+
|
|
399
|
+
**Solution 2 - Fix npm permissions (Best long-term)**:
|
|
400
|
+
```bash
|
|
401
|
+
mkdir ~/.npm-global
|
|
402
|
+
npm config set prefix '~/.npm-global'
|
|
403
|
+
echo 'export PATH=~/.npm-global/bin:$PATH' >> ~/.zshrc
|
|
404
|
+
source ~/.zshrc
|
|
405
|
+
npm install -g codeslick-cli
|
|
406
|
+
```
|
|
407
|
+
|
|
408
|
+
**Solution 3 - Use sudo (Not recommended)**:
|
|
409
|
+
```bash
|
|
410
|
+
sudo npm install -g codeslick-cli
|
|
411
|
+
```
|
|
412
|
+
|
|
370
413
|
### "Command not found: codeslick" error
|
|
371
414
|
|
|
372
415
|
**Problem**: CLI not installed globally or not in PATH.
|
|
373
416
|
|
|
374
417
|
**Solution**: Install globally:
|
|
375
418
|
```bash
|
|
376
|
-
npm install -g
|
|
419
|
+
npm install -g codeslick-cli
|
|
377
420
|
```
|
|
378
421
|
|
|
379
422
|
**Solution**: Use npx (no install required):
|
|
380
423
|
```bash
|
|
381
|
-
npx
|
|
382
|
-
npx
|
|
424
|
+
npx codeslick-cli init
|
|
425
|
+
npx codeslick-cli scan
|
|
383
426
|
```
|
|
384
427
|
|
|
385
428
|
### Slow scanning performance
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAcH;;GAEG;AACH,UAAU,QAAQ;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACnD;
|
|
1
|
+
{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../../../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAcH;;GAEG;AACH,UAAU,QAAQ;IAChB,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,QAAQ,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;CACnD;AAsGD;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAAC,IAAI,EAAE,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CA4D/D"}
|
|
@@ -25,6 +25,7 @@ const config_loader_1 = require("../config/config-loader");
|
|
|
25
25
|
const cli_reporter_1 = require("../reporters/cli-reporter");
|
|
26
26
|
/**
|
|
27
27
|
* Pre-commit hook template
|
|
28
|
+
* Uses npx to work regardless of installation method (global or npx)
|
|
28
29
|
*/
|
|
29
30
|
const PRE_COMMIT_HOOK = `#!/bin/sh
|
|
30
31
|
# CodeSlick pre-commit hook
|
|
@@ -33,7 +34,8 @@ const PRE_COMMIT_HOOK = `#!/bin/sh
|
|
|
33
34
|
# To skip this hook temporarily, use: git commit --no-verify
|
|
34
35
|
|
|
35
36
|
# Run CodeSlick scan on staged files
|
|
36
|
-
|
|
37
|
+
# Uses npx to work with both global and npx installations
|
|
38
|
+
npx codeslick-cli scan --staged
|
|
37
39
|
|
|
38
40
|
# Exit with the scan status
|
|
39
41
|
exit $?
|
|
@@ -149,9 +151,9 @@ async function initCommand(args) {
|
|
|
149
151
|
console.log('CodeSlick will automatically scan staged files before each commit.');
|
|
150
152
|
console.log('');
|
|
151
153
|
console.log('To scan files manually:');
|
|
152
|
-
console.log(' codeslick scan # Scan all files');
|
|
153
|
-
console.log(' codeslick scan --staged # Scan staged files only');
|
|
154
|
-
console.log(' codeslick scan src/**/*.js # Scan specific files');
|
|
154
|
+
console.log(' npx codeslick-cli scan # Scan all files');
|
|
155
|
+
console.log(' npx codeslick-cli scan --staged # Scan staged files only');
|
|
156
|
+
console.log(' npx codeslick-cli scan src/**/*.js # Scan specific files');
|
|
155
157
|
console.log('');
|
|
156
158
|
console.log('To skip the pre-commit hook temporarily:');
|
|
157
159
|
console.log(' git commit --no-verify');
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../../../src/commands/init.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;;;
|
|
1
|
+
{"version":3,"file":"init.js","sourceRoot":"","sources":["../../../../../src/commands/init.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;;;AAmIH,kCA4DC;AA7LD,2BAAgC;AAChC,0CAAsD;AACtD,+BAA+B;AAC/B,8CAAsB;AACtB,2DAKiC;AACjC,4DAAmF;AAUnF;;;GAGG;AACH,MAAM,eAAe,GAAG;;;;;;;;;;;;CAYvB,CAAC;AAEF;;GAEG;AACH,SAAS,eAAe,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAClD,OAAO,IAAA,eAAU,EAAC,IAAA,cAAO,EAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC/C,OAAO,IAAA,cAAO,EAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AACvC,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IACnD,OAAO,IAAA,cAAO,EAAC,YAAY,CAAC,GAAG,CAAC,EAAE,YAAY,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,SAAS,eAAe,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAClD,OAAO,IAAA,eAAU,EAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,gBAAgB,CAC7B,IAAc,EACd,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,MAAM,OAAO,GAAG,IAAA,aAAG,EAAC,0BAA0B,CAAC,CAAC,KAAK,EAAE,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,MAAM,GAAoB;YAC9B,GAAG,8BAAc;YACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,8BAAc,CAAC,QAAQ;SACnD,CAAC;QAEF,MAAM,IAAA,0BAAU,EAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAE9B,OAAO,CAAC,OAAO,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QACjD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,oBAAoB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC7D,MAAM,OAAO,GAAG,IAAA,aAAG,EAAC,4BAA4B,CAAC,CAAC,KAAK,EAAE,CAAC;IAE1D,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QACpC,MAAM,aAAa,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QAE5C,6CAA6C;QAC7C,IAAI,CAAC,IAAA,eAAU,EAAC,SAAS,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAA,gBAAK,EAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9C,CAAC;QAED,wBAAwB;QACxB,MAAM,IAAA,oBAAS,EAAC,aAAa,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;QAEzD,8BAA8B;QAC9B,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjC,MAAM,IAAA,gBAAK,EAAC,aAAa,EAAE,KAAK,CAAC,CAAC;QACpC,CAAC;QAED,OAAO,CAAC,OAAO,CAAC,2BAA2B,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;QAClD,MAAM,KAAK,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,WAAW,CAAC,IAAc;IAC9C,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAE1B,qCAAqC;QACrC,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,IAAA,yBAAU,EAAC,2DAA2D,CAAC,CAAC;YACxE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,iCAAiC;QACjC,IAAI,IAAA,4BAAY,EAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACrC,IAAA,2BAAY,EACV,2DAA2D,CAC5D,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QACpC,CAAC;QAED,0CAA0C;QAC1C,IAAI,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YACxC,IAAA,2BAAY,EACV,2DAA2D,CAC5D,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAC;QAClC,CAAC;QAED,wBAAwB;QACxB,IAAA,2BAAY,EAAC,qCAAqC,CAAC,CAAC;QAEpD,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,CAAC;QACjD,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QAClF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;QACvC,OAAO,CAAC,GAAG,CAAC,4DAA4D,CAAC,CAAC;QAC1E,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QAClF,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAC;QAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,IAAA,yBAAU,EAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,IAAA,yBAAU,EAAC,2BAA2B,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}
|
|
@@ -16,6 +16,7 @@ import { SecurityVulnerability } from '../../types';
|
|
|
16
16
|
* - Check #4: Unsigned JAR usage (HIGH) - NEW OWASP 2025
|
|
17
17
|
* - Check #5: Dependency confusion (HIGH) - NEW OWASP 2025
|
|
18
18
|
* - Check #6: Runtime bytecode loading (CRITICAL) - NEW OWASP 2025
|
|
19
|
+
* - Check #7: Downloaded code execution without integrity verification (CRITICAL) - NEW Jan 10, 2026
|
|
19
20
|
*
|
|
20
21
|
* @param lines - Array of code lines
|
|
21
22
|
* @returns Array of security vulnerabilities found
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD
|
|
1
|
+
{"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAoUzB"}
|
|
@@ -19,6 +19,7 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
19
19
|
* - Check #4: Unsigned JAR usage (HIGH) - NEW OWASP 2025
|
|
20
20
|
* - Check #5: Dependency confusion (HIGH) - NEW OWASP 2025
|
|
21
21
|
* - Check #6: Runtime bytecode loading (CRITICAL) - NEW OWASP 2025
|
|
22
|
+
* - Check #7: Downloaded code execution without integrity verification (CRITICAL) - NEW Jan 10, 2026
|
|
22
23
|
*
|
|
23
24
|
* @param lines - Array of code lines
|
|
24
25
|
* @returns Array of security vulnerabilities found
|
|
@@ -28,6 +29,8 @@ function checkEnhancedSupplyChain(lines) {
|
|
|
28
29
|
let inMultiLineComment = false;
|
|
29
30
|
// Track user input variables for dynamic class loading detection
|
|
30
31
|
const userInputVars = new Set();
|
|
32
|
+
// Track downloaded files (from URL.openStream, HttpClient, etc.)
|
|
33
|
+
const downloadedFiles = new Map(); // filename -> line number where downloaded
|
|
31
34
|
lines.forEach((line, index) => {
|
|
32
35
|
const trimmedLine = line.trim();
|
|
33
36
|
// CRITICAL: Track multi-line comment blocks (/* ... */)
|
|
@@ -58,6 +61,19 @@ function checkEnhancedSupplyChain(lines) {
|
|
|
58
61
|
userInputVars.add(varMatch[1]);
|
|
59
62
|
}
|
|
60
63
|
}
|
|
64
|
+
// Track downloaded files (URL.openStream, Files.copy from URL, HttpClient downloads)
|
|
65
|
+
// Pattern: Files.copy(in, Paths.get("plugin.jar")), or similar download operations
|
|
66
|
+
if (lowerLine.includes('files.copy') || lowerLine.includes('.download') ||
|
|
67
|
+
lowerLine.includes('url.openstream') || lowerLine.includes('httpclient')) {
|
|
68
|
+
// Extract filename from Paths.get("filename") or similar patterns
|
|
69
|
+
const filenameMatch = trimmedLine.match(/paths\.get\s*\(\s*["']([^"']+)["']/i) ||
|
|
70
|
+
trimmedLine.match(/file\s*\(\s*["']([^"']+)["']/i) ||
|
|
71
|
+
trimmedLine.match(/outputstream\s*\(\s*["']([^"']+)["']/i);
|
|
72
|
+
if (filenameMatch) {
|
|
73
|
+
const filename = filenameMatch[1];
|
|
74
|
+
downloadedFiles.set(filename, index + 1);
|
|
75
|
+
}
|
|
76
|
+
}
|
|
61
77
|
// Check #1: Dynamic class loading with user input (ENHANCED OWASP 2025)
|
|
62
78
|
if (lowerLine.includes('class.forname(') || lowerLine.includes('classloader.loadclass(') ||
|
|
63
79
|
lowerLine.includes('.loadclass(')) {
|
|
@@ -172,6 +188,45 @@ function checkEnhancedSupplyChain(lines) {
|
|
|
172
188
|
'Complete application and system compromise'
|
|
173
189
|
], 'return defineClass(null, bytecode, 0, bytecode.length);', '// Validate bytecode signatures before loading\n// Or use standard class loading mechanisms instead', 'Runtime bytecode loading should be avoided or bytecode should be cryptographically verified'));
|
|
174
190
|
}
|
|
191
|
+
// Check #7: Downloaded code execution without integrity verification - NEW Jan 10, 2026
|
|
192
|
+
// Pattern: Runtime.exec("java -jar downloaded_file.jar") without checksum/signature verification
|
|
193
|
+
if (lowerLine.includes('runtime.exec') || lowerLine.includes('processbuilder')) {
|
|
194
|
+
// Check if executing a JAR file
|
|
195
|
+
const isJarExecution = lowerLine.includes('.jar') || lowerLine.includes('java -jar');
|
|
196
|
+
if (isJarExecution) {
|
|
197
|
+
// Check if this JAR was downloaded (exists in downloadedFiles map)
|
|
198
|
+
let isDownloadedFile = false;
|
|
199
|
+
for (const [filename] of downloadedFiles) {
|
|
200
|
+
if (trimmedLine.includes(filename)) {
|
|
201
|
+
isDownloadedFile = true;
|
|
202
|
+
break;
|
|
203
|
+
}
|
|
204
|
+
}
|
|
205
|
+
// Check for checksum/signature verification in surrounding lines
|
|
206
|
+
const contextLines = lines.slice(Math.max(0, index - 20), Math.min(index + 5, lines.length));
|
|
207
|
+
const hasIntegrityCheck = contextLines.some(l => {
|
|
208
|
+
const lowerContext = l.toLowerCase();
|
|
209
|
+
return lowerContext.includes('checksum') ||
|
|
210
|
+
lowerContext.includes('sha256') ||
|
|
211
|
+
lowerContext.includes('sha512') ||
|
|
212
|
+
lowerContext.includes('md5') ||
|
|
213
|
+
lowerContext.includes('verify') && lowerContext.includes('hash') ||
|
|
214
|
+
lowerContext.includes('messagedigest') ||
|
|
215
|
+
lowerContext.includes('signature') && lowerContext.includes('verify');
|
|
216
|
+
});
|
|
217
|
+
// Flag if it's a JAR execution (especially if downloaded) without integrity checks
|
|
218
|
+
if (!hasIntegrityCheck && (isDownloadedFile || lowerLine.includes('download') || lowerLine.includes('http'))) {
|
|
219
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaSecurityVulnerability)('downloaded-code-execution-without-verification', 'CRITICAL: Executing downloaded JAR without checksum/signature verification', 'Verify JAR integrity using SHA-256 checksum or digital signature before execution', index + 1, 'Executing downloaded code (JAR files) without integrity verification allows attackers to serve malicious code via man-in-the-middle attacks or compromised servers. The application will execute tampered code leading to complete system compromise.', 'URL url = new URL("http://example.com/plugin.jar");\nInputStream in = url.openStream();\nFiles.copy(in, Paths.get("plugin.jar"));\nRuntime.getRuntime().exec("java -jar plugin.jar"); // No integrity check!', [
|
|
220
|
+
'Remote Code Execution from tampered downloads',
|
|
221
|
+
'Man-in-the-middle attacks serving malicious JARs',
|
|
222
|
+
'Supply chain compromise via infected downloads',
|
|
223
|
+
'Complete system takeover',
|
|
224
|
+
'Backdoor installation',
|
|
225
|
+
'Data exfiltration and credential theft'
|
|
226
|
+
], 'Runtime.getRuntime().exec("java -jar plugin.jar"); // No checksum verification', '// Verify SHA-256 checksum before execution\nString expectedChecksum = "abc123...";\nString actualChecksum = calculateSHA256("plugin.jar");\nif (!expectedChecksum.equals(actualChecksum)) {\n throw new SecurityException("JAR integrity check failed");\n}\n// OR verify digital signature\nif (!verifyJarSignature("plugin.jar")) {\n throw new SecurityException("JAR signature invalid");\n}\nRuntime.getRuntime().exec("java -jar plugin.jar");', 'Always verify downloaded code using SHA-256/SHA-512 checksums or digital signatures before execution. Never execute untrusted code without integrity verification.'));
|
|
227
|
+
}
|
|
228
|
+
}
|
|
229
|
+
}
|
|
175
230
|
});
|
|
176
231
|
return vulnerabilities;
|
|
177
232
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;
|
|
1
|
+
{"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/java/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAoBH,4DAsUC;AAvVD,sEAA+E;AAE/E;;;;;;;;;;;;;;GAcG;AACH,SAAgB,wBAAwB,CACtC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,iEAAiE;IACjE,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,iEAAiE;IACjE,MAAM,eAAe,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,2CAA2C;IAE9F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,+DAA+D;QAC/D,qFAAqF;QACrF,4EAA4E;QAC5E,iDAAiD;QACjD,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,0CAA0C;QAC1C,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YAC1C,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACxC,MAAM,QAAQ,GAAG,WAAW,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAChD,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,qFAAqF;QACrF,mFAAmF;QACnF,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;YACnE,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC7E,kEAAkE;YAClE,MAAM,aAAa,GAAG,WAAW,CAAC,KAAK,CAAC,qCAAqC,CAAC;gBACzD,WAAW,CAAC,KAAK,CAAC,+BAA+B,CAAC;gBAClD,WAAW,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAChF,IAAI,aAAa,EAAE,CAAC;gBAClB,MAAM,QAAQ,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;gBAClC,eAAe,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,wEAAwE;QACxE,IAAI,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,wBAAwB,CAAC;YACpF,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACtC,iEAAiE;YACjE,IAAI,aAAa,GAAG,KAAK,CAAC;YAE1B,IAAI,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBACrF,aAAa,GAAG,IAAI,CAAC;YACvB,CAAC;YAED,mDAAmD;YACnD,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;gBACpC,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;oBAClC,aAAa,GAAG,IAAI,CAAC;oBACrB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,MAAM,kBAAkB,GAAG,qCAAqC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAEnF,iCAAiC;YACjC,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAChG,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC;YAC9D,MAAM,mBAAmB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC7C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAClE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;oBAC/B,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;YAC/E,CAAC,CAAC,CAAC;YAEH,IAAI,aAAa,IAAI,CAAC,kBAAkB,IAAI,CAAC,qBAAqB,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBAC3F,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,uBAAuB,EACvB,wEAAwE,EACxE,qFAAqF,EACrF,KAAK,GAAG,CAAC,EACT,oMAAoM,EACpM,oGAAoG,EACpG;oBACE,6DAA6D;oBAC7D,2CAA2C;oBAC3C,uCAAuC;oBACvC,4CAA4C;oBAC5C,sCAAsC;iBACvC,EACD,0BAA0B,EAC1B,yJAAyJ,EACzJ,qIAAqI,CACtI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,6EAA6E;QAC7E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACjG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;YACtE,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,2BAA2B,EAC3B,iEAAiE,EACjE,0EAA0E,EAC1E,KAAK,GAAG,CAAC,EACT,qFAAqF,EACrF,kEAAkE,EAClE;gBACE,mDAAmD;gBACnD,gDAAgD;gBAChD,uDAAuD;gBACvD,sDAAsD;aACvD,EACD,2CAA2C,EAC3C,4CAA4C,EAC5C,mFAAmF,CACpF,CACF,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,sEAAsE;QACtE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACpE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,qBAAqB;gBACrD,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,qBAAqB;gBACtD,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,sBAAsB;gBACxD,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,sBAAsB;gBACxD,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,oBAAoB;gBACpD,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,oBAAoB;gBACpD,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC,CAAC,wBAAwB;YAChE,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,uBAAuB,EACvB,mEAAmE,EACnE,8DAA8D,EAC9D,KAAK,GAAG,CAAC,EACT,mFAAmF,EACnF,uDAAuD,EACvD;gBACE,6CAA6C;gBAC7C,gDAAgD;gBAChD,6CAA6C;gBAC7C,wCAAwC;aACzC,EACD,6CAA6C,EAC7C,4EAA4E,EAC5E,iGAAiG,CAClG,CACF,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YACvE,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBACtE,MAAM,SAAS,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC;oBACvC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACzE,CAAC,CAAC,EAAE,CAAC;YACP,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,oBAAoB,EACpB,qDAAqD,EACrD,4EAA4E,EAC5E,KAAK,GAAG,CAAC,EACT,yEAAyE,EACzE,uEAAuE,EACvE;gBACE,6CAA6C;gBAC7C,kDAAkD;gBAClD,yCAAyC;gBACzC,4CAA4C;aAC7C,EACD,gEAAgE,EAChE,+JAA+J,EAC/J,6EAA6E,CAC9E,CACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,uEAAuE;QACvE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YAC3G,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,kBAAkB,CAAC;gBACzE,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC;gBAC7B,4EAA4E;gBAC5E,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YAExE,4DAA4D;YAC5D,MAAM,kBAAkB,GAAG,WAAW,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAEtF,0DAA0D;YAC1D,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC9F,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;gBACpC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;oBACnE,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC3E,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,cAAc,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,sBAAsB,EACtB,sFAAsF,EACtF,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,2GAA2G,EAC3G,uEAAuE,EACvE;oBACE,0DAA0D;oBAC1D,uDAAuD;oBACvD,mDAAmD;oBACnD,4CAA4C;iBAC7C,EACD,2DAA2D,EAC3D,qJAAqJ,EACrJ,6GAA6G,CAC9G,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;YAClC,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACnE,CAAC,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YACtF,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,0BAA0B,EAC1B,qEAAqE,EACrE,8EAA8E,EAC9E,KAAK,GAAG,CAAC,EACT,gGAAgG,EAChG,kFAAkF,EAClF;gBACE,kDAAkD;gBAClD,iDAAiD;gBACjD,8CAA8C;gBAC9C,4CAA4C;aAC7C,EACD,yDAAyD,EACzD,qGAAqG,EACrG,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;QAED,wFAAwF;QACxF,iGAAiG;QACjG,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC/E,gCAAgC;YAChC,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAErF,IAAI,cAAc,EAAE,CAAC;gBACnB,mEAAmE;gBACnE,IAAI,gBAAgB,GAAG,KAAK,CAAC;gBAC7B,KAAK,MAAM,CAAC,QAAQ,CAAC,IAAI,eAAe,EAAE,CAAC;oBACzC,IAAI,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;wBACnC,gBAAgB,GAAG,IAAI,CAAC;wBACxB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,iEAAiE;gBACjE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;gBAC7F,MAAM,iBAAiB,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;oBAC9C,MAAM,YAAY,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;oBACrC,OAAO,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC;wBACjC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;wBAC/B,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;wBAC/B,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;wBAC5B,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;wBAChE,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC;wBACtC,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;gBAC/E,CAAC,CAAC,CAAC;gBAEH,mFAAmF;gBACnF,IAAI,CAAC,iBAAiB,IAAI,CAAC,gBAAgB,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;oBAC7G,eAAe,CAAC,IAAI,CAClB,IAAA,qDAA+B,EAC7B,gDAAgD,EAChD,4EAA4E,EAC5E,mFAAmF,EACnF,KAAK,GAAG,CAAC,EACT,uPAAuP,EACvP,8MAA8M,EAC9M;wBACE,+CAA+C;wBAC/C,kDAAkD;wBAClD,gDAAgD;wBAChD,0BAA0B;wBAC1B,uBAAuB;wBACvB,wCAAwC;qBACzC,EACD,gFAAgF,EAChF,6bAA6b,EAC7b,oKAAoK,CACrK,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,
|
|
1
|
+
{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA4OzB"}
|
|
@@ -24,6 +24,8 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
24
24
|
function checkAccessControl(lines) {
|
|
25
25
|
const vulnerabilities = [];
|
|
26
26
|
let inMultiLineComment = false;
|
|
27
|
+
// Track variables assigned from req.params/req.query/req.body for IDOR detection
|
|
28
|
+
const userInputVariables = new Map();
|
|
27
29
|
lines.forEach((line, index) => {
|
|
28
30
|
const lineNumber = index + 1;
|
|
29
31
|
const trimmed = line.trim();
|
|
@@ -38,6 +40,14 @@ function checkAccessControl(lines) {
|
|
|
38
40
|
// Skip comments and empty lines
|
|
39
41
|
if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
|
|
40
42
|
return;
|
|
43
|
+
// Track variable assignments from user input (for IDOR detection)
|
|
44
|
+
// Pattern: const userId = req.params.id, const id = req.query.userId, let userInput = req.body.data
|
|
45
|
+
const userInputAssignment = trimmed.match(/(?:const|let|var)\s+(\w+)\s*=\s*(req\.(?:params|query|body)\.[\w.]+)/i);
|
|
46
|
+
if (userInputAssignment) {
|
|
47
|
+
const varName = userInputAssignment[1];
|
|
48
|
+
const source = userInputAssignment[2];
|
|
49
|
+
userInputVariables.set(varName, { source, lineNumber });
|
|
50
|
+
}
|
|
41
51
|
// OWASP A01:2025 - Broken Access Control
|
|
42
52
|
// Check #92: Missing authentication middleware - HIGH
|
|
43
53
|
// Pattern: app.get/post/put/delete/patch routes without authentication
|
|
@@ -110,11 +120,21 @@ function checkAccessControl(lines) {
|
|
|
110
120
|
}
|
|
111
121
|
// OWASP A01:2025 - Broken Access Control
|
|
112
122
|
// Check #94: Insecure Direct Object Reference (IDOR) - HIGH
|
|
113
|
-
// Pattern: Database queries using req.params/req.query without ownership validation
|
|
114
|
-
// Examples: getUserById(req.params.id),
|
|
115
|
-
const idorPattern = /(getUserById|findById|findOne|getById|deleteById|updateById|get\w+ById)\s*\(\s*(req\.params|req\.query|req\.body)/i;
|
|
116
|
-
const dbAccessPattern = /\.(find|findOne|update|delete|remove)\s*\(\s*\{\s*(_?id|userId|user_id|accountId|account_id)\s*:\s*(req\.params|req\.query|req\.body)/i;
|
|
117
|
-
|
|
123
|
+
// Pattern: Database queries using req.params/req.query OR tracked variables without ownership validation
|
|
124
|
+
// Examples: getUserById(req.params.id), getUserById(userId) where userId = req.params.id
|
|
125
|
+
const idorPattern = /(getUserById|findById|findOne|getById|deleteById|updateById|get\w+ById|get\w+|fetch\w+|load\w+)\s*\(\s*(req\.params|req\.query|req\.body|[\w.]+)\s*[),]/i;
|
|
126
|
+
const dbAccessPattern = /\.(find|findOne|update|delete|remove)\s*\(\s*\{\s*(_?id|userId|user_id|accountId|account_id)\s*:\s*(req\.params|req\.query|req\.body|[\w]+)\s*[},]/i;
|
|
127
|
+
const isIdorMatch = trimmed.match(idorPattern) || trimmed.match(dbAccessPattern);
|
|
128
|
+
// Check if using tracked user input variable
|
|
129
|
+
let usesTrackedVariable = false;
|
|
130
|
+
for (const [varName] of userInputVariables) {
|
|
131
|
+
// Check if the line contains the tracked variable in a database access context
|
|
132
|
+
if (isIdorMatch && trimmed.includes(varName)) {
|
|
133
|
+
usesTrackedVariable = true;
|
|
134
|
+
break;
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
if (isIdorMatch && (trimmed.match(/req\.(params|query|body)/i) || usesTrackedVariable)) {
|
|
118
138
|
// Check if there's ownership validation in next 10 lines
|
|
119
139
|
const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
|
|
120
140
|
const hasOwnershipCheck = nextLines.some(l => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/access-control.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAiBH,
|
|
1
|
+
{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/access-control.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAiBH,gDA8OC;AA5PD,sEAAqF;AAErF;;;;;;;;;;;GAWG;AACH,SAAgB,kBAAkB,CAChC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,iFAAiF;IACjF,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAkD,CAAC;IAErF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,kEAAkE;QAClE,oGAAoG;QACpG,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAC;QACnH,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACvC,MAAM,MAAM,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACtC,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,yCAAyC;QACzC,sDAAsD;QACtD,uEAAuE;QACvE,0FAA0F;QAC1F,MAAM,YAAY,GAAG,2DAA2D,CAAC;QACjF,MAAM,cAAc,GAAG,0DAA0D,CAAC;QAElF,IAAI,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YACjE,+CAA+C;YAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACjC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAEnD,sDAAsD;YACtD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,kBAAkB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC5C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO;gBACL,4DAA4D;gBAC5D,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;oBACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;oBACnE,sCAAsC;oBACtC,SAAS,CAAC,QAAQ,CAAC,2BAA2B,CAAC;oBAC/C,6BAA6B;oBAC7B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACjC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,qDAAqD;oBACrD,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CACpG,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,aAAa,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mCAAmC,EACnC,yFAAyF,EACzF,0GAA0G,EAC1G,UAAU,EACV,qJAAqJ,EACrJ,yGAAyG,EACzG;oBACE,uCAAuC;oBACvC,6CAA6C;oBAC7C,gDAAgD;oBAChD,uBAAuB;oBACvB,gDAAgD;iBACjD,EACD,2EAA2E,EAC3E,2FAA2F,EAC3F,qGAAqG,CACtG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,mDAAmD;QACnD,yEAAyE;QACzE,qGAAqG;QACrG,MAAM,qBAAqB,GAAG,oFAAoF,CAAC;QACnH,MAAM,eAAe,GAAG,qEAAqE,CAAC;QAE9F,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,4EAA4E;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACxE,MAAM,qBAAqB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC/C,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACpB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACpB,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC;gBACxB,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAC5B,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAC5B,CAAC;YAEF,wEAAwE;YACxE,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACtC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;gBACtB,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC7B,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC7B,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAC1B,CAAC;YAEF,IAAI,qBAAqB,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,2BAA2B,EAC3B,yFAAyF,EACzF,kGAAkG,EAClG,UAAU,EACV,0LAA0L,EAC1L,uHAAuH,EACvH;oBACE,yDAAyD;oBACzD,qCAAqC;oBACrC,uCAAuC;oBACvC,gCAAgC;oBAChC,uBAAuB;oBACvB,2DAA2D;iBAC5D,EACD,mFAAmF,EACnF,kPAAkP,EAClP,4IAA4I,CAC7I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,4DAA4D;QAC5D,yGAAyG;QACzG,yFAAyF;QACzF,MAAM,WAAW,GAAG,0JAA0J,CAAC;QAC/K,MAAM,eAAe,GAAG,qJAAqJ,CAAC;QAE9K,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAEjF,6CAA6C;QAC7C,IAAI,mBAAmB,GAAG,KAAK,CAAC;QAChC,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,kBAAkB,EAAE,CAAC;YAC3C,+EAA+E;YAC/E,IAAI,WAAW,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7C,mBAAmB,GAAG,IAAI,CAAC;gBAC3B,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,WAAW,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,IAAI,mBAAmB,CAAC,EAAE,CAAC;YACvF,yDAAyD;YACzD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC3C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO;gBACL,0CAA0C;gBAC1C,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACrF,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACtF,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBACpC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACjC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC7B,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;oBAC9D,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAClE,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,kCAAkC,EAClC,0FAA0F,EAC1F,4GAA4G,EAC5G,UAAU,EACV,yLAAyL,EACzL,6IAA6I,EAC7I;oBACE,2CAA2C;oBAC3C,gDAAgD;oBAChD,iCAAiC;oBACjC,4CAA4C;oBAC5C,oDAAoD;oBACpD,uBAAuB;iBACxB,EACD,qFAAqF,EACrF,8JAA8J,EAC9J,iHAAiH,CAClH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,wEAAwE;QACxE,8EAA8E;QAC9E,MAAM,oBAAoB,GAAG,kIAAkI,CAAC;QAEhK,IAAI,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;YACxC,oEAAoE;YACpE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACxE,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACvC,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC7B,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC7B,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;gBACzB,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CACxB,CAAC;YAEF,0DAA0D;YAC1D,IAAI,CAAC,aAAa,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAClD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,sBAAsB,EACtB,kFAAkF,EAClF,8FAA8F,EAC9F,UAAU,EACV,gMAAgM,EAChM,iHAAiH,EACjH;oBACE,mDAAmD;oBACnD,+CAA+C;oBAC/C,8CAA8C;oBAC9C,+CAA+C;oBAC/C,uBAAuB;iBACxB,EACD,8DAA8D,EAC9D,mIAAmI,EACnI,8GAA8G,CAC/G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -9,7 +9,7 @@ import { SecurityVulnerability } from '../../types';
|
|
|
9
9
|
/**
|
|
10
10
|
* Checks for exception handling security vulnerabilities in JavaScript code
|
|
11
11
|
*
|
|
12
|
-
* Covers (Enhanced Dec 30, 2025 - Phase 3):
|
|
12
|
+
* Covers (Enhanced Dec 30, 2025 - Phase 3 | Jan 10, 2026 - User Testing Fixes):
|
|
13
13
|
* - Check #1: Unhandled Promise rejections (HIGH)
|
|
14
14
|
* - Check #2: Empty catch blocks (MEDIUM) - FIXED pattern
|
|
15
15
|
* - Check #3: Catching and ignoring errors (MEDIUM)
|
|
@@ -20,6 +20,7 @@ import { SecurityVulnerability } from '../../types';
|
|
|
20
20
|
* - Check #8: Sensitive data in logs (CRITICAL) - NEW
|
|
21
21
|
* - Check #9: Log injection vulnerabilities (HIGH) - NEW
|
|
22
22
|
* - Check #10: Missing error logging in critical operations (MEDIUM) - NEW
|
|
23
|
+
* - Check #11: Fail-open financial operations (CRITICAL) - NEW Jan 10, 2026
|
|
23
24
|
*
|
|
24
25
|
* @param lines - Array of code lines
|
|
25
26
|
* @returns Array of security vulnerabilities found
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exception-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/exception-handling.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD
|
|
1
|
+
{"version":3,"file":"exception-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/exception-handling.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA0azB"}
|
|
@@ -12,7 +12,7 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
12
12
|
/**
|
|
13
13
|
* Checks for exception handling security vulnerabilities in JavaScript code
|
|
14
14
|
*
|
|
15
|
-
* Covers (Enhanced Dec 30, 2025 - Phase 3):
|
|
15
|
+
* Covers (Enhanced Dec 30, 2025 - Phase 3 | Jan 10, 2026 - User Testing Fixes):
|
|
16
16
|
* - Check #1: Unhandled Promise rejections (HIGH)
|
|
17
17
|
* - Check #2: Empty catch blocks (MEDIUM) - FIXED pattern
|
|
18
18
|
* - Check #3: Catching and ignoring errors (MEDIUM)
|
|
@@ -23,6 +23,7 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
23
23
|
* - Check #8: Sensitive data in logs (CRITICAL) - NEW
|
|
24
24
|
* - Check #9: Log injection vulnerabilities (HIGH) - NEW
|
|
25
25
|
* - Check #10: Missing error logging in critical operations (MEDIUM) - NEW
|
|
26
|
+
* - Check #11: Fail-open financial operations (CRITICAL) - NEW Jan 10, 2026
|
|
26
27
|
*
|
|
27
28
|
* @param lines - Array of code lines
|
|
28
29
|
* @returns Array of security vulnerabilities found
|
|
@@ -221,6 +222,58 @@ function checkExceptionHandling(lines) {
|
|
|
221
222
|
], 'await db.users.update({ id }, { role: "admin" }); // No error handling', 'try {\n await db.users.update({ id }, { role: "admin" });\n logger.info("User role updated", { userId: id, newRole: "admin" });\n} catch (err) {\n logger.error("Failed to update user role", { userId: id, error: err });\n throw err;\n}', 'Wrap all critical operations in try-catch blocks with comprehensive error logging including context (user, operation, timestamp).'));
|
|
222
223
|
}
|
|
223
224
|
}
|
|
225
|
+
// Check #11: Fail-open financial operations (CRITICAL) - NEW Jan 10, 2026
|
|
226
|
+
// Pattern: Financial operations in try-catch that return success status even when error occurs
|
|
227
|
+
// Example: try { db.insert(...) } catch (e) { } res.send({ status: "processed" });
|
|
228
|
+
const isFinancialRoute = /\.(post|put)\s*\(\s*['"`].*\/(billing|charge|payment|transfer|withdraw|deposit)/i.test(trimmedLine);
|
|
229
|
+
const isFinancialOperation = /(db|database)\.(insert|update|execute|query).*\b(charges?|payments?|transactions?|billing)\b/i.test(trimmedLine) ||
|
|
230
|
+
/(stripe|paypal|charge|payment|bill)\./i.test(trimmedLine);
|
|
231
|
+
if (isFinancialRoute || isFinancialOperation) {
|
|
232
|
+
// Check for try-catch pattern with success response outside
|
|
233
|
+
const contextLines = lines.slice(index, Math.min(index + 15, lines.length));
|
|
234
|
+
const hasCatchBlock = contextLines.some(l => l.toLowerCase().includes('catch'));
|
|
235
|
+
const hasSuccessResponse = contextLines.some(l => {
|
|
236
|
+
const lowerLine = l.toLowerCase();
|
|
237
|
+
return (lowerLine.includes('res.send') || lowerLine.includes('res.json')) &&
|
|
238
|
+
(lowerLine.includes('success') || lowerLine.includes('processed') || lowerLine.includes('complete') || lowerLine.includes('ok'));
|
|
239
|
+
});
|
|
240
|
+
// Check if success response is INSIDE the catch block (which is wrong)
|
|
241
|
+
// OR if success response is OUTSIDE try-catch (always executed regardless of error)
|
|
242
|
+
if (hasCatchBlock && hasSuccessResponse) {
|
|
243
|
+
// Find if the success response is inside or outside the catch
|
|
244
|
+
let catchBlockIndex = -1;
|
|
245
|
+
let successResponseIndex = -1;
|
|
246
|
+
let catchBlockEnds = -1;
|
|
247
|
+
for (let i = 0; i < contextLines.length; i++) {
|
|
248
|
+
const lowerCtxLine = contextLines[i].toLowerCase();
|
|
249
|
+
if (lowerCtxLine.includes('catch')) {
|
|
250
|
+
catchBlockIndex = i;
|
|
251
|
+
}
|
|
252
|
+
if ((lowerCtxLine.includes('res.send') || lowerCtxLine.includes('res.json')) &&
|
|
253
|
+
(lowerCtxLine.includes('success') || lowerCtxLine.includes('processed') || lowerCtxLine.includes('complete') || lowerCtxLine.includes('ok'))) {
|
|
254
|
+
successResponseIndex = i;
|
|
255
|
+
}
|
|
256
|
+
// Track catch block closing (simple heuristic: closing brace after catch)
|
|
257
|
+
if (catchBlockIndex !== -1 && catchBlockEnds === -1 && contextLines[i].trim() === '}') {
|
|
258
|
+
catchBlockEnds = i;
|
|
259
|
+
}
|
|
260
|
+
}
|
|
261
|
+
// If success response is AFTER catch block closes, OR inside catch block, it's fail-open
|
|
262
|
+
const isFailOpen = (successResponseIndex !== -1 && catchBlockIndex !== -1 && catchBlockEnds !== -1 && successResponseIndex > catchBlockEnds) ||
|
|
263
|
+
(successResponseIndex !== -1 && catchBlockIndex !== -1 && successResponseIndex > catchBlockIndex && successResponseIndex < catchBlockEnds);
|
|
264
|
+
if (isFailOpen) {
|
|
265
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('fail-open-financial-operation', 'CRITICAL: Financial operation returns success even when failing - silent transaction failure', 'Return error status on failure: catch (err) { logger.error(...); return res.status(500).send({ error: "Transaction failed" }); }', index + 1, 'Financial operations that return success status (200 OK) even when database operations fail create silent transaction failures. Users believe their payment/charge succeeded when it actually failed, leading to financial discrepancies, accounting errors, and customer disputes.', 'try { await db.query("INSERT INTO charges...") } catch (e) { console.error(e) } res.send({ status: "processed" }) → Database fails but response says "processed" → Customer charged but no record → Financial loss', [
|
|
266
|
+
'Silent financial transaction failures',
|
|
267
|
+
'Customer overcharging (charged but no record)',
|
|
268
|
+
'Financial reconciliation errors',
|
|
269
|
+
'Accounting discrepancies and audit failures',
|
|
270
|
+
'Customer disputes and chargebacks',
|
|
271
|
+
'Compliance violations (SOX, PCI-DSS)',
|
|
272
|
+
'Business revenue loss from unrecorded transactions'
|
|
273
|
+
], 'try {\n await db.query("INSERT INTO charges(amount) VALUES(?)", [amount]);\n} catch (e) {\n console.error(e);\n}\nres.send({ status: "processed" }); // WRONG: Always returns success', 'try {\n await db.query("INSERT INTO charges(amount) VALUES(?)", [amount]);\n logger.info("Charge recorded", { amount, userId });\n res.send({ status: "processed", success: true });\n} catch (err) {\n logger.error("Charge failed", { amount, userId, error: err });\n return res.status(500).send({ error: "Transaction failed", success: false });\n}', 'Financial operations MUST return error status (4xx/5xx) when transactions fail. Never report success when the operation failed. Implement proper audit logging for all financial events.'));
|
|
274
|
+
}
|
|
275
|
+
}
|
|
276
|
+
}
|
|
224
277
|
});
|
|
225
278
|
return vulnerabilities;
|
|
226
279
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"exception-handling.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/exception-handling.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAuBH,wDAqWC;AAzXD,sEAAqF;AAErF;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,sBAAsB,CACpC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,yCAAyC;QACzC,4EAA4E;QAC5E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC7B,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC9B,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACrE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,8DAA8D,EAC9D,wDAAwD,EACxD,KAAK,GAAG,CAAC,EACT,sFAAsF,EACtF,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,sCAAsC;gBACtC,8CAA8C;gBAC9C,uCAAuC;aACxC,EACD,iDAAiD,EACjD,8FAA8F,EAC9F,gGAAgG,CACjG,CACF,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,gEAAgE;QAChE,yFAAyF;QACzF,MAAM,iBAAiB,GAAG,mCAAmC,CAAC,CAAC,qBAAqB;QACpF,MAAM,oBAAoB,GAAG,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAClE,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC1B,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YACvB,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM;YACxB,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC;QAE/D,IAAI,oBAAoB,IAAI,qBAAqB,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,+CAA+C,EAC/C,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,wFAAwF,EACxF,oEAAoE,EACpE;gBACE,gDAAgD;gBAChD,kDAAkD;gBAClD,+CAA+C;gBAC/C,kCAAkC;aACnC,EACD,mCAAmC,EACnC,kFAAkF,EAClF,qFAAqF,CACtF,CACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC3B,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,uDAAuD,EACvD,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,sGAAsG,EACtG,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,2CAA2C;gBAC3C,sDAAsD;gBACtD,kDAAkD;aACnD,EACD,uCAAuC,EACvC,yFAAyF,EACzF,+EAA+E,CAChF,CACF,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACrE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;YACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1D,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,8CAA8C,EAC9C,2EAA2E,EAC3E,KAAK,GAAG,CAAC,EACT,qGAAqG,EACrG,uEAAuE,EACvE;gBACE,yCAAyC;gBACzC,+CAA+C;gBAC/C,mDAAmD;gBACnD,4CAA4C;aAC7C,EACD,0BAA0B,EAC1B,uFAAuF,EACvF,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAChE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1D,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC7D,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACtE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC1C,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACzC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAC/C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,gEAAgE,EAChE,oEAAoE,EACpE,KAAK,GAAG,CAAC,EACT,8FAA8F,EAC9F,kEAAkE,EAClE;gBACE,sCAAsC;gBACtC,4BAA4B;gBAC5B,oCAAoC;gBACpC,4CAA4C;aAC7C,EACD,kCAAkC,EAClC,2FAA2F,EAC3F,mFAAmF,CACpF,CACF,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,iEAAiE;QACjE,gFAAgF;QAEhF,6DAA6D;QAC7D,mDAAmD;QACnD,MAAM,mBAAmB,GAAG,qFAAqF,CAAC;QAClH,MAAM,YAAY,GAAG,iDAAiD,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEzF,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,YAAY,EAAE,CAAC;YAC3D,oCAAoC;YACpC,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7F,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACvC,MAAM,gBAAgB,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACpC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACjC,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACxC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAClC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC;gBAC5E,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,oEAAoE,EACpE,6FAA6F,EAC7F,KAAK,GAAG,CAAC,EACT,sKAAsK,EACtK,4FAA4F,EAC5F;oBACE,0CAA0C;oBAC1C,6CAA6C;oBAC7C,oDAAoD;oBACpD,0CAA0C;oBAC1C,yCAAyC;iBAC1C,EACD,+CAA+C,EAC/C,+JAA+J,EAC/J,2KAA2K,CAC5K,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,6CAA6C;QAC7C,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;QAEpE,IAAI,WAAW,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC9C,wCAAwC;YACxC,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YACjE,MAAM,iBAAiB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC7B,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC1B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,yBAAyB,EACzB,2EAA2E,EAC3E,6EAA6E,EAC7E,KAAK,GAAG,CAAC,EACT,6JAA6J,EAC7J,8FAA8F,EAC9F;oBACE,mCAAmC;oBACnC,wCAAwC;oBACxC,kCAAkC;oBAClC,+BAA+B;oBAC/B,gDAAgD;iBACjD,EACD,wDAAwD,EACxD,2JAA2J,EAC3J,oHAAoH,CACrH,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,8DAA8D;QAC9D,MAAM,oBAAoB,GAAG,4GAA4G,CAAC;QAE1I,IAAI,WAAW,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC5C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,wBAAwB,EACxB,oFAAoF,EACpF,4EAA4E,EAC5E,KAAK,GAAG,CAAC,EACT,0LAA0L,EAC1L,uGAAuG,EACvG;gBACE,kCAAkC;gBAClC,6BAA6B;gBAC7B,+CAA+C;gBAC/C,mCAAmC;gBACnC,sCAAsC;gBACtC,oCAAoC;aACrC,EACD,6DAA6D,EAC7D,+KAA+K,EAC/K,iJAAiJ,CAClJ,CACF,CAAC;QACJ,CAAC;QAED,iDAAiD;QACjD,oEAAoE;QACpE,MAAM,mBAAmB,GAAG,0FAA0F,CAAC;QAEvH,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC3C,8BAA8B;YAC9B,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACtC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAEvD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,eAAe,EACf,gFAAgF,EAChF,qFAAqF,EACrF,KAAK,GAAG,CAAC,EACT,6MAA6M,EAC7M,uIAAuI,EACvI;oBACE,gCAAgC;oBAChC,mCAAmC;oBACnC,6BAA6B;oBAC7B,cAAc;oBACd,8BAA8B;iBAC/B,EACD,8CAA8C,EAC9C,iFAAiF,EACjF,qIAAqI,CACtI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,yEAAyE;QACzE,MAAM,wBAAwB,GAAG,qGAAqG,CAAC;QAEvI,IAAI,WAAW,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAChD,wCAAwC;YACxC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9G,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACpC,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC5D,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,gCAAgC,EAChC,6DAA6D,EAC7D,kGAAkG,EAClG,KAAK,GAAG,CAAC,EACT,+KAA+K,EAC/K,gFAAgF,EAChF;oBACE,wCAAwC;oBACxC,yCAAyC;oBACzC,gCAAgC;oBAChC,0CAA0C;oBAC1C,0CAA0C;iBAC3C,EACD,wEAAwE,EACxE,gPAAgP,EAChP,mIAAmI,CACpI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
1
|
+
{"version":3,"file":"exception-handling.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/exception-handling.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAwBH,wDA4aC;AAjcD,sEAAqF;AAErF;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,sBAAsB,CACpC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,yCAAyC;QACzC,4EAA4E;QAC5E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC7B,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;YAChE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC9B,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACrE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,8DAA8D,EAC9D,wDAAwD,EACxD,KAAK,GAAG,CAAC,EACT,sFAAsF,EACtF,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,sCAAsC;gBACtC,8CAA8C;gBAC9C,uCAAuC;aACxC,EACD,iDAAiD,EACjD,8FAA8F,EAC9F,gGAAgG,CACjG,CACF,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,gEAAgE;QAChE,yFAAyF;QACzF,MAAM,iBAAiB,GAAG,mCAAmC,CAAC,CAAC,qBAAqB;QACpF,MAAM,oBAAoB,GAAG,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAClE,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC1B,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YACvB,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM;YACxB,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC;QAE/D,IAAI,oBAAoB,IAAI,qBAAqB,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,+CAA+C,EAC/C,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,wFAAwF,EACxF,oEAAoE,EACpE;gBACE,gDAAgD;gBAChD,kDAAkD;gBAClD,+CAA+C;gBAC/C,kCAAkC;aACnC,EACD,mCAAmC,EACnC,kFAAkF,EAClF,qFAAqF,CACtF,CACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC;YAC3B,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAClE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,uDAAuD,EACvD,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,sGAAsG,EACtG,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,2CAA2C;gBAC3C,sDAAsD;gBACtD,kDAAkD;aACnD,EACD,uCAAuC,EACvC,yFAAyF,EACzF,+EAA+E,CAChF,CACF,CAAC;QACJ,CAAC;QAED,oDAAoD;QACpD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;YACrE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;YACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAC1D,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,8CAA8C,EAC9C,2EAA2E,EAC3E,KAAK,GAAG,CAAC,EACT,qGAAqG,EACrG,uEAAuE,EACvE;gBACE,yCAAyC;gBACzC,+CAA+C;gBAC/C,mDAAmD;gBACnD,4CAA4C;aAC7C,EACD,0BAA0B,EAC1B,uFAAuF,EACvF,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAChE,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC1D,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC7D,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC7D,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACtE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC1C,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACzC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAC/C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,gEAAgE,EAChE,oEAAoE,EACpE,KAAK,GAAG,CAAC,EACT,8FAA8F,EAC9F,kEAAkE,EAClE;gBACE,sCAAsC;gBACtC,4BAA4B;gBAC5B,oCAAoC;gBACpC,4CAA4C;aAC7C,EACD,kCAAkC,EAClC,2FAA2F,EAC3F,mFAAmF,CACpF,CACF,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,iEAAiE;QACjE,gFAAgF;QAEhF,6DAA6D;QAC7D,mDAAmD;QACnD,MAAM,mBAAmB,GAAG,qFAAqF,CAAC;QAClH,MAAM,YAAY,GAAG,iDAAiD,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAEzF,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,YAAY,EAAE,CAAC;YAC3D,oCAAoC;YACpC,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7F,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACvC,MAAM,gBAAgB,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,SAAS,CAAC;oBACpC,gBAAgB,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACjC,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACxC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAClC,gBAAgB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC/C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,UAAU,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,YAAY,CAAC,EAAE,CAAC;gBAC5E,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,oEAAoE,EACpE,6FAA6F,EAC7F,KAAK,GAAG,CAAC,EACT,sKAAsK,EACtK,4FAA4F,EAC5F;oBACE,0CAA0C;oBAC1C,6CAA6C;oBAC7C,oDAAoD;oBACpD,0CAA0C;oBAC1C,yCAAyC;iBAC1C,EACD,+CAA+C,EAC/C,+JAA+J,EAC/J,2KAA2K,CAC5K,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,6CAA6C;QAC7C,MAAM,sBAAsB,GAAG,oCAAoC,CAAC;QAEpE,IAAI,WAAW,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC9C,wCAAwC;YACxC,MAAM,aAAa,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YACjE,MAAM,iBAAiB,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC7B,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC1B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC3C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,yBAAyB,EACzB,2EAA2E,EAC3E,6EAA6E,EAC7E,KAAK,GAAG,CAAC,EACT,6JAA6J,EAC7J,8FAA8F,EAC9F;oBACE,mCAAmC;oBACnC,wCAAwC;oBACxC,kCAAkC;oBAClC,+BAA+B;oBAC/B,gDAAgD;iBACjD,EACD,wDAAwD,EACxD,2JAA2J,EAC3J,oHAAoH,CACrH,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,8DAA8D;QAC9D,MAAM,oBAAoB,GAAG,4GAA4G,CAAC;QAE1I,IAAI,WAAW,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;YAC5C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,wBAAwB,EACxB,oFAAoF,EACpF,4EAA4E,EAC5E,KAAK,GAAG,CAAC,EACT,0LAA0L,EAC1L,uGAAuG,EACvG;gBACE,kCAAkC;gBAClC,6BAA6B;gBAC7B,+CAA+C;gBAC/C,mCAAmC;gBACnC,sCAAsC;gBACtC,oCAAoC;aACrC,EACD,6DAA6D,EAC7D,+KAA+K,EAC/K,iJAAiJ,CAClJ,CACF,CAAC;QACJ,CAAC;QAED,iDAAiD;QACjD,oEAAoE;QACpE,MAAM,mBAAmB,GAAG,0FAA0F,CAAC;QAEvH,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC3C,8BAA8B;YAC9B,MAAM,eAAe,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBACtC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAChC,WAAW,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAEvD,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,eAAe,EACf,gFAAgF,EAChF,qFAAqF,EACrF,KAAK,GAAG,CAAC,EACT,6MAA6M,EAC7M,uIAAuI,EACvI;oBACE,gCAAgC;oBAChC,mCAAmC;oBACnC,6BAA6B;oBAC7B,cAAc;oBACd,8BAA8B;iBAC/B,EACD,8CAA8C,EAC9C,iFAAiF,EACjF,qIAAqI,CACtI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mEAAmE;QACnE,yEAAyE;QACzE,MAAM,wBAAwB,GAAG,qGAAqG,CAAC;QAEvI,IAAI,WAAW,CAAC,KAAK,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAChD,wCAAwC;YACxC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9G,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACpC,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;oBAC5D,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;YACvE,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,gCAAgC,EAChC,6DAA6D,EAC7D,kGAAkG,EAClG,KAAK,GAAG,CAAC,EACT,+KAA+K,EAC/K,gFAAgF,EAChF;oBACE,wCAAwC;oBACxC,yCAAyC;oBACzC,gCAAgC;oBAChC,0CAA0C;oBAC1C,0CAA0C;iBAC3C,EACD,wEAAwE,EACxE,gPAAgP,EAChP,mIAAmI,CACpI,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,+FAA+F;QAC/F,mFAAmF;QACnF,MAAM,gBAAgB,GAAG,kFAAkF,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC9H,MAAM,oBAAoB,GAAG,+FAA+F,CAAC,IAAI,CAAC,WAAW,CAAC;YACjH,wCAAwC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAExF,IAAI,gBAAgB,IAAI,oBAAoB,EAAE,CAAC;YAC7C,4DAA4D;YAC5D,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5E,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAChF,MAAM,kBAAkB,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC/C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;oBAClE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YAC1I,CAAC,CAAC,CAAC;YAEH,uEAAuE;YACvE,oFAAoF;YACpF,IAAI,aAAa,IAAI,kBAAkB,EAAE,CAAC;gBACxC,8DAA8D;gBAC9D,IAAI,eAAe,GAAG,CAAC,CAAC,CAAC;gBACzB,IAAI,oBAAoB,GAAG,CAAC,CAAC,CAAC;gBAC9B,IAAI,cAAc,GAAG,CAAC,CAAC,CAAC;gBAExB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,YAAY,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;oBAC7C,MAAM,YAAY,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;oBACnD,IAAI,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;wBACnC,eAAe,GAAG,CAAC,CAAC;oBACtB,CAAC;oBACD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;wBACxE,CAAC,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;wBACjJ,oBAAoB,GAAG,CAAC,CAAC;oBAC3B,CAAC;oBACD,0EAA0E;oBAC1E,IAAI,eAAe,KAAK,CAAC,CAAC,IAAI,cAAc,KAAK,CAAC,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;wBACtF,cAAc,GAAG,CAAC,CAAC;oBACrB,CAAC;gBACH,CAAC;gBAED,yFAAyF;gBACzF,MAAM,UAAU,GAAG,CAAC,oBAAoB,KAAK,CAAC,CAAC,IAAI,eAAe,KAAK,CAAC,CAAC,IAAI,cAAc,KAAK,CAAC,CAAC,IAAI,oBAAoB,GAAG,cAAc,CAAC;oBACzH,CAAC,oBAAoB,KAAK,CAAC,CAAC,IAAI,eAAe,KAAK,CAAC,CAAC,IAAI,oBAAoB,GAAG,eAAe,IAAI,oBAAoB,GAAG,cAAc,CAAC,CAAC;gBAE9J,IAAI,UAAU,EAAE,CAAC;oBACf,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,+BAA+B,EAC/B,8FAA8F,EAC9F,kIAAkI,EAClI,KAAK,GAAG,CAAC,EACT,qRAAqR,EACrR,oNAAoN,EACpN;wBACE,uCAAuC;wBACvC,+CAA+C;wBAC/C,iCAAiC;wBACjC,6CAA6C;wBAC7C,mCAAmC;wBACnC,sCAAsC;wBACtC,oDAAoD;qBACrD,EACD,yLAAyL,EACzL,gWAAgW,EAChW,0LAA0L,CAC3L,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -17,6 +17,7 @@ import { SecurityVulnerability } from '../../types';
|
|
|
17
17
|
* - Check #2: Missing Subresource Integrity (SRI) for CDN scripts (MEDIUM)
|
|
18
18
|
* - Check #3: Package installation without lock files (MEDIUM)
|
|
19
19
|
* - Check #4: Downloading executable code from HTTP (not HTTPS) (HIGH)
|
|
20
|
+
* - Check #5: Writing untrusted data to config files without validation (HIGH) - NEW Jan 10, 2026
|
|
20
21
|
*
|
|
21
22
|
* @param lines - Array of code lines
|
|
22
23
|
* @returns Array of security vulnerabilities found
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"software-integrity.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/software-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD
|
|
1
|
+
{"version":3,"file":"software-integrity.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/software-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAiSzB"}
|
|
@@ -20,6 +20,7 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
20
20
|
* - Check #2: Missing Subresource Integrity (SRI) for CDN scripts (MEDIUM)
|
|
21
21
|
* - Check #3: Package installation without lock files (MEDIUM)
|
|
22
22
|
* - Check #4: Downloading executable code from HTTP (not HTTPS) (HIGH)
|
|
23
|
+
* - Check #5: Writing untrusted data to config files without validation (HIGH) - NEW Jan 10, 2026
|
|
23
24
|
*
|
|
24
25
|
* @param lines - Array of code lines
|
|
25
26
|
* @returns Array of security vulnerabilities found
|
|
@@ -162,6 +163,35 @@ function checkSoftwareIntegrity(lines) {
|
|
|
162
163
|
], 'npm install --registry=http://custom-registry.com package', 'npm install --registry=https://custom-registry.com package\nnpm audit signatures // Verify package integrity', 'Use package signature verification and trusted registries to prevent supply chain attacks.'));
|
|
163
164
|
}
|
|
164
165
|
}
|
|
166
|
+
// Check #5: Writing untrusted data to config files without validation - NEW Jan 10, 2026
|
|
167
|
+
// Pattern: fs.writeFileSync(...config..., JSON.stringify(req.body)) without schema validation
|
|
168
|
+
// This addresses Issue #08 partial fix: path traversal fixed but config validation missing
|
|
169
|
+
const isConfigWrite = (lowerLine.includes('fs.write') || lowerLine.includes('fs.append')) &&
|
|
170
|
+
(lowerLine.includes('config') || lowerLine.includes('.json') || lowerLine.includes('.yaml') || lowerLine.includes('.yml'));
|
|
171
|
+
if (isConfigWrite && (lowerLine.includes('req.body') || lowerLine.includes('req.query') || lowerLine.includes('req.params'))) {
|
|
172
|
+
// Check for schema validation in surrounding lines
|
|
173
|
+
const contextLines = lines.slice(Math.max(0, index - 10), Math.min(index + 5, lines.length));
|
|
174
|
+
const hasValidation = contextLines.some(l => {
|
|
175
|
+
const lowerContext = l.toLowerCase();
|
|
176
|
+
return lowerContext.includes('validate') ||
|
|
177
|
+
lowerContext.includes('schema') ||
|
|
178
|
+
lowerContext.includes('joi.') ||
|
|
179
|
+
lowerContext.includes('yup.') ||
|
|
180
|
+
lowerContext.includes('zod.') ||
|
|
181
|
+
lowerContext.includes('ajv') ||
|
|
182
|
+
lowerContext.includes('json-schema');
|
|
183
|
+
});
|
|
184
|
+
if (!hasValidation) {
|
|
185
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('unvalidated-config-write', 'Writing untrusted data to config files without schema validation - enables config poisoning', 'Validate config structure using schema validation (Joi, Zod, AJV) before writing', index + 1, 'Writing user-provided data directly to configuration files without schema validation allows attackers to inject malicious configuration, modify application behavior, or execute code through config-driven features.', 'fs.writeFileSync("config.json", JSON.stringify(req.body)) → Attacker sends {"adminMode": true, "debugLevel": 999} → Application compromised', [
|
|
186
|
+
'Configuration poisoning and tampering',
|
|
187
|
+
'Application behavior modification',
|
|
188
|
+
'Privilege escalation via config injection',
|
|
189
|
+
'Code execution if config is later evaluated',
|
|
190
|
+
'Denial of Service via malformed config',
|
|
191
|
+
'Security setting bypass (disabling auth, logging)'
|
|
192
|
+
], 'fs.writeFileSync(safePath, JSON.stringify(req.body)); // No validation', '// Define allowed config schema\nconst Joi = require("joi");\nconst schema = Joi.object({\n theme: Joi.string().valid("light", "dark"),\n timeout: Joi.number().min(1000).max(30000)\n}).unknown(false); // Reject extra fields\n\nconst { error, value } = schema.validate(req.body);\nif (error) return res.status(400).send("Invalid config");\n\nfs.writeFileSync(safePath, JSON.stringify(value));', 'Always validate configuration data against a strict schema before persisting. Reject unknown fields and enforce type/range constraints.'));
|
|
193
|
+
}
|
|
194
|
+
}
|
|
165
195
|
});
|
|
166
196
|
return vulnerabilities;
|
|
167
197
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"software-integrity.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/software-integrity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;
|
|
1
|
+
{"version":3,"file":"software-integrity.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/software-integrity.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAkBH,wDAmSC;AAlTD,sEAAqF;AAErF;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CACpC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,8CAA8C;QAC9C,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,2DAA2D;QAC3D,uFAAuF;QACvF,MAAM,oBAAoB,GAAG,mCAAmC,CAAC;QACjE,MAAM,oBAAoB,GAAG,0BAA0B,CAAC;QACxD,MAAM,cAAc,GAAG,2BAA2B,CAAC;QAEnD,IAAI,WAAW,CAAC,KAAK,CAAC,oBAAoB,CAAC;YACvC,WAAW,CAAC,KAAK,CAAC,oBAAoB,CAAC;YACvC,WAAW,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAEtC,kDAAkD;YAClD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC3C,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,OAAO,CACL,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACnC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAClC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAC/B,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,4FAA4F,EAC5F,kGAAkG,EAClG,KAAK,GAAG,CAAC,EACT,+JAA+J,EAC/J,iIAAiI,EACjI;oBACE,yCAAyC;oBACzC,kCAAkC;oBAClC,6CAA6C;oBAC7C,+BAA+B;oBAC/B,wCAAwC;iBACzC,EACD,8HAA8H,EAC9H,sOAAsO,EACtO,yGAAyG,CAC1G,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,4DAA4D;QAC5D,wFAAwF;QACxF,MAAM,gBAAgB,GAAG,iEAAiE,CAAC;QAE3F,IAAI,WAAW,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACxC,8DAA8D;YAC9D,MAAM,YAAY,GAAG,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC;gBACpD,CAAC,KAAK,GAAG,CAAC,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;YAEvE,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,iBAAiB,EACjB,mFAAmF,EACnF,0GAA0G,EAC1G,KAAK,GAAG,CAAC,EACT,0JAA0J,EAC1J,4GAA4G,EAC5G;oBACE,uCAAuC;oBACvC,sBAAsB;oBACtB,uCAAuC;oBACvC,kCAAkC;oBAClC,8BAA8B;iBAC/B,EACD,uDAAuD,EACvD,6JAA6J,EAC7J,uFAAuF,CACxF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8DAA8D;QAC9D,wEAAwE;QACxE,wDAAwD;QACxD,MAAM,mBAAmB,GAAG,+FAA+F,CAAC;QAC5H,MAAM,uBAAuB,GAAG,0DAA0D,CAAC;QAE3F,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC,uBAAuB,CAAC,EAAE,CAAC;YACzF,mCAAmC;YACnC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,eAAe,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACzC,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,OAAO,CACL,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAClC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC9B,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACnC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACnC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CACjC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,eAAe,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,+FAA+F,EAC/F,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,yLAAyL,EACzL,uHAAuH,EACvH;oBACE,+CAA+C;oBAC/C,sBAAsB;oBACtB,kCAAkC;oBAClC,sBAAsB;oBACtB,iCAAiC;iBAClC,EACD,6FAA6F,EAC7F,qWAAqW,EACrW,2FAA2F,CAC5F,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,yEAAyE;QACzE,MAAM,eAAe,GAAG,0GAA0G,CAAC;QAEnI,IAAI,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;YACvC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,oBAAoB,EACpB,kFAAkF,EAClF,uDAAuD,EACvD,KAAK,GAAG,CAAC,EACT,gJAAgJ,EAChJ,gGAAgG,EAChG;gBACE,kCAAkC;gBAClC,sBAAsB;gBACtB,uBAAuB;gBACvB,8BAA8B;gBAC9B,eAAe;aAChB,EACD,oCAAoC,EACpC,kDAAkD,EAClD,sGAAsG,CACvG,CACF,CAAC;QACJ,CAAC;QAED,gGAAgG;QAChG,+FAA+F;QAC/F,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACvE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,aAAa,EACb,mFAAmF,EACnF,6EAA6E,EAC7E,KAAK,GAAG,CAAC,EACT,oKAAoK,EACpK,4EAA4E,EAC5E;gBACE,8BAA8B;gBAC9B,yBAAyB;gBACzB,yBAAyB;gBACzB,mBAAmB;gBACnB,gCAAgC;aACjC,EACD,8BAA8B,EAC9B,mDAAmD,EACnD,kHAAkH,CACnH,CACF,CAAC;QACJ,CAAC;QAED,sDAAsD;QACtD,yDAAyD;QACzD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACrE,CAAC,SAAS,CAAC,QAAQ,CAAC,qBAAqB,CAAC;YAC1C,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YAEvC,gFAAgF;YAChF,MAAM,qBAAqB,GAAG,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC/B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC7B,SAAS,CAAC,QAAQ,CAAC,4BAA4B,CAAC,KAAK,KAAK,CAAC;YAE1F,IAAI,qBAAqB,EAAE,CAAC;gBAC1B,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,4BAA4B,EAC5B,+EAA+E,EAC/E,0EAA0E,EAC1E,KAAK,GAAG,CAAC,EACT,oIAAoI,EACpI,oFAAoF,EACpF;oBACE,gCAAgC;oBAChC,sBAAsB;oBACtB,oBAAoB;oBACpB,6CAA6C;oBAC7C,mBAAmB;iBACpB,EACD,2DAA2D,EAC3D,8GAA8G,EAC9G,4FAA4F,CAC7F,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yFAAyF;QACzF,8FAA8F;QAC9F,2FAA2F;QAC3F,MAAM,aAAa,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YACpE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAEhJ,IAAI,aAAa,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YAC7H,mDAAmD;YACnD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7F,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC1C,MAAM,YAAY,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACrC,OAAO,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC;oBACjC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAC/B,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC7B,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC7B,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC7B,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC5B,YAAY,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YAC9C,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,6FAA6F,EAC7F,kFAAkF,EAClF,KAAK,GAAG,CAAC,EACT,uNAAuN,EACvN,6IAA6I,EAC7I;oBACE,uCAAuC;oBACvC,mCAAmC;oBACnC,2CAA2C;oBAC3C,6CAA6C;oBAC7C,wCAAwC;oBACxC,mDAAmD;iBACpD,EACD,wEAAwE,EACxE,2YAA2Y,EAC3Y,yIAAyI,CAC1I,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -11,6 +11,7 @@ import { SecurityVulnerability } from '../../types';
|
|
|
11
11
|
*
|
|
12
12
|
* Covers:
|
|
13
13
|
* - Check #85: IDOR in Express/Koa routes with :id parameters (HIGH)
|
|
14
|
+
* - Check #85b: IDOR via indirect variable usage (HIGH) - NEW Jan 10, 2026
|
|
14
15
|
*
|
|
15
16
|
* @param lines - Array of code lines
|
|
16
17
|
* @returns Array of security vulnerabilities found
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD
|
|
1
|
+
{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/access-control.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAuUzB"}
|
|
@@ -14,6 +14,7 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
14
14
|
*
|
|
15
15
|
* Covers:
|
|
16
16
|
* - Check #85: IDOR in Express/Koa routes with :id parameters (HIGH)
|
|
17
|
+
* - Check #85b: IDOR via indirect variable usage (HIGH) - NEW Jan 10, 2026
|
|
17
18
|
*
|
|
18
19
|
* @param lines - Array of code lines
|
|
19
20
|
* @returns Array of security vulnerabilities found
|
|
@@ -21,6 +22,8 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
21
22
|
function checkAccessControl(lines) {
|
|
22
23
|
const vulnerabilities = [];
|
|
23
24
|
let inMultiLineComment = false;
|
|
25
|
+
// Track variables assigned from req.params/req.query/req.body for IDOR detection
|
|
26
|
+
const userInputVariables = new Map();
|
|
24
27
|
lines.forEach((line, index) => {
|
|
25
28
|
const lineNumber = index + 1;
|
|
26
29
|
const trimmed = line.trim();
|
|
@@ -35,6 +38,14 @@ function checkAccessControl(lines) {
|
|
|
35
38
|
// Skip comments and empty lines
|
|
36
39
|
if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
|
|
37
40
|
return;
|
|
41
|
+
// Track variable assignments from user input (for indirect IDOR detection)
|
|
42
|
+
// Pattern: const userId = req.params.id, const id = req.query.userId, let userInput = req.body.data
|
|
43
|
+
const userInputAssignment = trimmed.match(/(?:const|let|var)\s+(\w+)\s*(?::\s*[\w<>]+)?\s*=\s*(req\.(?:params|query|body)\.[\w.]+)/i);
|
|
44
|
+
if (userInputAssignment) {
|
|
45
|
+
const varName = userInputAssignment[1];
|
|
46
|
+
const source = userInputAssignment[2];
|
|
47
|
+
userInputVariables.set(varName, { source, lineNumber });
|
|
48
|
+
}
|
|
38
49
|
// OWASP A01:2021 - Broken Access Control
|
|
39
50
|
// Check #85: IDOR in route handlers - HIGH
|
|
40
51
|
// Pattern: app.get("/users/:id", ...) or app.post("/accounts/:accountId", ...)
|
|
@@ -77,6 +88,42 @@ function checkAccessControl(lines) {
|
|
|
77
88
|
], 'app.get("/users/:id", async (req, res) => {\n const user = await db.query("SELECT * FROM users WHERE id = ?", [req.params.id]);\n res.json(user); // No auth check\n});', 'app.get("/users/:id", async (req, res) => {\n if (req.session.userId !== req.params.id) {\n return res.status(403).json({ error: "Forbidden" });\n }\n const user = await db.query("SELECT * FROM users WHERE id = ?", [req.params.id]);\n res.json(user);\n});', 'Add ownership validation by comparing the authenticated user\'s ID (from session/JWT) with the requested resource ID. Return 403 Forbidden if they don\'t match.'));
|
|
78
89
|
}
|
|
79
90
|
}
|
|
91
|
+
// Check #85b: IDOR via indirect variable usage - NEW Jan 10, 2026
|
|
92
|
+
// Pattern: const userId = req.params.userId; getUserById(userId) without ownership check
|
|
93
|
+
const idorPattern = /(getUserById|findById|findOne|getById|deleteById|updateById|get\w+ById|fetch\w+|load\w+)\s*\(\s*([\w.]+)\s*[),]/i;
|
|
94
|
+
const dbAccessPattern = /\.(find|findOne|update|delete|remove)\s*\(\s*\{\s*(_?id|userId|user_id|accountId)\s*:\s*([\w]+)\s*[},]/i;
|
|
95
|
+
const isIdorMatch = trimmed.match(idorPattern) || trimmed.match(dbAccessPattern);
|
|
96
|
+
// Check if using tracked user input variable
|
|
97
|
+
let usesTrackedVariable = false;
|
|
98
|
+
for (const [varName] of userInputVariables) {
|
|
99
|
+
if (isIdorMatch && trimmed.includes(varName)) {
|
|
100
|
+
usesTrackedVariable = true;
|
|
101
|
+
break;
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
if (isIdorMatch && (trimmed.match(/req\.(params|query|body)/i) || usesTrackedVariable)) {
|
|
105
|
+
// Check if there's ownership validation in next 10 lines
|
|
106
|
+
const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
|
|
107
|
+
const hasOwnershipCheck = nextLines.some(l => {
|
|
108
|
+
const lowerLine = l.toLowerCase();
|
|
109
|
+
return ((lowerLine.includes('if') && lowerLine.includes('user') && lowerLine.includes('!==')) ||
|
|
110
|
+
(lowerLine.includes('if') && lowerLine.includes('owner') && lowerLine.includes('!==')) ||
|
|
111
|
+
lowerLine.includes('checkOwnership') ||
|
|
112
|
+
lowerLine.includes('verifyOwner') ||
|
|
113
|
+
lowerLine.includes('isOwner') ||
|
|
114
|
+
(lowerLine.includes('403') || lowerLine.includes('forbidden')) ||
|
|
115
|
+
(lowerLine.includes('401') || lowerLine.includes('unauthorized')));
|
|
116
|
+
});
|
|
117
|
+
if (!hasOwnershipCheck) {
|
|
118
|
+
vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('idor-indirect-variable', 'IDOR: Database access using user-controlled variable without ownership validation', 'Validate ownership: if (resource.userId !== req.user.id) return res.status(403)', lineNumber, 'Using user-provided IDs (from req.params/query/body) to access database records without verifying ownership allows attackers to access, modify, or delete other users\' data.', 'const userId = req.params.userId;\nconst user = getUserById(userId); // No ownership check → IDOR', [
|
|
119
|
+
'Unauthorized access to other users\' data',
|
|
120
|
+
'Horizontal privilege escalation',
|
|
121
|
+
'Data modification or deletion across accounts',
|
|
122
|
+
'Privacy violations (GDPR, CCPA)',
|
|
123
|
+
'Account takeover via accessing sensitive info'
|
|
124
|
+
], 'const userId = req.params.userId;\nconst user = await getUserById(userId);\nres.json(user); // No ownership check', 'const userId = req.params.userId;\nconst user = await getUserById(userId);\nif (user.id !== req.user.id) {\n return res.status(403).json({ error: "Forbidden" });\n}\nres.json(user);', 'Always validate that the authenticated user owns or has permission to access the requested resource before returning it'));
|
|
125
|
+
}
|
|
126
|
+
}
|
|
80
127
|
// OWASP A01:2021 - Broken Access Control / A10:2025 - Mishandling Exceptional Conditions
|
|
81
128
|
// Check #91: Fail-Open Authentication - CRITICAL
|
|
82
129
|
// Pattern: if (authorized) res.send(X); else res.send(X);
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/access-control.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;
|
|
1
|
+
{"version":3,"file":"access-control.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/access-control.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAeH,gDAyUC;AArVD,sEAAqF;AAErF;;;;;;;;;GASG;AACH,SAAgB,kBAAkB,CAChC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,iFAAiF;IACjF,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAkD,CAAC;IAErF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,2EAA2E;QAC3E,oGAAoG;QACpG,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,0FAA0F,CAAC,CAAC;QACtI,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACvC,MAAM,MAAM,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACtC,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QAC1D,CAAC;QAED,yCAAyC;QACzC,2CAA2C;QAC3C,+EAA+E;QAC/E,8EAA8E;QAC9E,MAAM,kBAAkB,GAAG,2IAA2I,CAAC;QAEvK,IAAI,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtC,+CAA+C;YAC/C,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAEzE,mCAAmC;YACnC,2DAA2D;YAC3D,gCAAgC;YAChC,2BAA2B;YAC3B,2EAA2E;YAC3E,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACtC,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO;gBACL,iBAAiB;gBACjB,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACjC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAC9B,uBAAuB;oBACvB,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;oBACnC,SAAS,CAAC,QAAQ,CAAC,2BAA2B,CAAC;oBAC/C,yBAAyB;oBACzB,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;oBAClC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC/B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACjC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC1B,mDAAmD;oBACnD,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;oBACzB,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAChC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,YAAY,EAAE,CAAC;gBAClB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,uBAAuB,EACvB,kGAAkG,EAClG,uHAAuH,EACvH,UAAU,EACV,0MAA0M,EAC1M,sIAAsI,EACtI;oBACE,gFAAgF;oBAChF,qCAAqC;oBACrC,2CAA2C;oBAC3C,qEAAqE;oBACrE,8CAA8C;iBAC/C,EACD,2KAA2K,EAC3K,wQAAwQ,EACxQ,kKAAkK,CACnK,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,kEAAkE;QAClE,yFAAyF;QACzF,MAAM,WAAW,GAAG,kHAAkH,CAAC;QACvI,MAAM,eAAe,GAAG,yGAAyG,CAAC;QAElI,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;QAEjF,6CAA6C;QAC7C,IAAI,mBAAmB,GAAG,KAAK,CAAC;QAChC,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,kBAAkB,EAAE,CAAC;YAC3C,IAAI,WAAW,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7C,mBAAmB,GAAG,IAAI,CAAC;gBAC3B,MAAM;YACR,CAAC;QACH,CAAC;QAED,IAAI,WAAW,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,IAAI,mBAAmB,CAAC,EAAE,CAAC;YACvF,yDAAyD;YACzD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC3C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CACL,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACrF,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACtF,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBACpC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACjC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;oBAC7B,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;oBAC9D,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAClE,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,wBAAwB,EACxB,mFAAmF,EACnF,iFAAiF,EACjF,UAAU,EACV,+KAA+K,EAC/K,mGAAmG,EACnG;oBACE,2CAA2C;oBAC3C,iCAAiC;oBACjC,+CAA+C;oBAC/C,iCAAiC;oBACjC,+CAA+C;iBAChD,EACD,mHAAmH,EACnH,wLAAwL,EACxL,yHAAyH,CAC1H,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,yFAAyF;QACzF,iDAAiD;QACjD,0DAA0D;QAC1D,uDAAuD;QACvD,uFAAuF;QAEvF,oEAAoE;QACpE,MAAM,kBAAkB,GAAG,2CAA2C,CAAC;QACvE,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAElD,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;YAEhC,gDAAgD;YAChD,MAAM,mBAAmB,GAAG,kFAAkF,CAAC;YAE/G,IAAI,YAAY,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;gBAC5C,IAAI,QAAQ,GAAG,EAAE,CAAC;gBAClB,IAAI,UAAU,GAAG,EAAE,CAAC;gBAEpB,2EAA2E;gBAC3E,oEAAoE;gBACpE,MAAM,iBAAiB,GAAG,yCAAyC,CAAC;gBACpE,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;gBAEzD,IAAI,eAAe,EAAE,CAAC;oBACpB,QAAQ,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBACrC,UAAU,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBACzC,CAAC;qBAAM,CAAC;oBACN,sDAAsD;oBACtD,0DAA0D;oBAC1D,MAAM,aAAa,GAAG,uBAAuB,CAAC;oBAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;oBACjD,IAAI,WAAW,EAAE,CAAC;wBAChB,QAAQ,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;oBACrD,CAAC;oBAED,kCAAkC;oBAClC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;oBAC5E,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;wBACjC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;wBACpC,IAAI,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;4BACnC,MAAM,eAAe,GAAG,aAAa,CAAC;4BACtC,MAAM,aAAa,GAAG,WAAW,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;4BACzD,IAAI,aAAa,EAAE,CAAC;gCAClB,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;4BACzD,CAAC;4BACD,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,mDAAmD;gBACnD,IAAI,QAAQ,IAAI,UAAU,IAAI,QAAQ,KAAK,UAAU,EAAE,CAAC;oBACtD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,0BAA0B,EAC1B,sHAAsH,EACtH,2LAA2L,EAC3L,UAAU,EACV,4OAA4O,EAC5O,mJAAmJ,EACnJ;wBACE,gCAAgC;wBAChC,4CAA4C;wBAC5C,+CAA+C;wBAC/C,sBAAsB;wBACtB,wCAAwC;wBACxC,2DAA2D;wBAC3D,qDAAqD;qBACtD,EACD,mLAAmL,EACnL,4MAA4M,EAC5M,6KAA6K,CAC9K,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,2DAA2D;QAC3D,sDAAsD;QACtD,uEAAuE;QACvE,MAAM,YAAY,GAAG,gEAAgE,CAAC;QACtF,MAAM,cAAc,GAAG,0DAA0D,CAAC;QAElF,IAAI,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YACjE,+CAA+C;YAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACjC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC/B,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBACnC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAC/B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAEnD,sDAAsD;YACtD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,kBAAkB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC5C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO;gBACL,4DAA4D;gBAC5D,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;oBACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,CAAC;oBACnE,sCAAsC;oBACtC,SAAS,CAAC,QAAQ,CAAC,2BAA2B,CAAC;oBAC/C,6BAA6B;oBAC7B,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACjC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,qDAAqD;oBACrD,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CACpG,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,aAAa,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mCAAmC,EACnC,yFAAyF,EACzF,0GAA0G,EAC1G,UAAU,EACV,qJAAqJ,EACrJ,yGAAyG,EACzG;oBACE,uCAAuC;oBACvC,6CAA6C;oBAC7C,gDAAgD;oBAChD,uBAAuB;oBACvB,gDAAgD;iBACjD,EACD,2EAA2E,EAC3E,2FAA2F,EAC3F,qGAAqG,CACtG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,2DAA2D;QAC3D,mDAAmD;QACnD,yEAAyE;QACzE,MAAM,qBAAqB,GAAG,oFAAoF,CAAC;QACnH,MAAM,eAAe,GAAG,qEAAqE,CAAC;QAE9F,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,4EAA4E;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACxE,MAAM,qBAAqB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC/C,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACpB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBACpB,CAAC,CAAC,KAAK,CAAC,eAAe,CAAC;gBACxB,CAAC,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAC5B,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,CAC5B,CAAC;YAEF,wEAAwE;YACxE,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CACtC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;gBACtB,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC7B,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC7B,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAC1B,CAAC;YAEF,IAAI,qBAAqB,IAAI,CAAC,YAAY,EAAE,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,2BAA2B,EAC3B,yFAAyF,EACzF,kGAAkG,EAClG,UAAU,EACV,0LAA0L,EAC1L,uHAAuH,EACvH;oBACE,yDAAyD;oBACzD,qCAAqC;oBACrC,uCAAuC;oBACvC,gCAAgC;oBAChC,uBAAuB;oBACvB,2DAA2D;iBAC5D,EACD,mFAAmF,EACnF,kPAAkP,EAClP,4IAA4I,CAC7I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "codeslick-cli",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.3",
|
|
4
4
|
"description": "CodeSlick CLI tool for pre-commit security scanning",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"bin": {
|
|
@@ -37,8 +37,8 @@
|
|
|
37
37
|
},
|
|
38
38
|
"dependencies": {
|
|
39
39
|
"yargs": "^17.7.2",
|
|
40
|
-
"chalk": "^
|
|
41
|
-
"ora": "^
|
|
40
|
+
"chalk": "^4.1.2",
|
|
41
|
+
"ora": "^5.4.1",
|
|
42
42
|
"cli-table3": "^0.6.3",
|
|
43
43
|
"glob": "^10.3.10"
|
|
44
44
|
},
|
package/src/commands/init.ts
CHANGED
|
@@ -34,6 +34,7 @@ interface InitArgs {
|
|
|
34
34
|
|
|
35
35
|
/**
|
|
36
36
|
* Pre-commit hook template
|
|
37
|
+
* Uses npx to work regardless of installation method (global or npx)
|
|
37
38
|
*/
|
|
38
39
|
const PRE_COMMIT_HOOK = `#!/bin/sh
|
|
39
40
|
# CodeSlick pre-commit hook
|
|
@@ -42,7 +43,8 @@ const PRE_COMMIT_HOOK = `#!/bin/sh
|
|
|
42
43
|
# To skip this hook temporarily, use: git commit --no-verify
|
|
43
44
|
|
|
44
45
|
# Run CodeSlick scan on staged files
|
|
45
|
-
|
|
46
|
+
# Uses npx to work with both global and npx installations
|
|
47
|
+
npx codeslick-cli scan --staged
|
|
46
48
|
|
|
47
49
|
# Exit with the scan status
|
|
48
50
|
exit $?
|
|
@@ -182,9 +184,9 @@ export async function initCommand(args: InitArgs): Promise<void> {
|
|
|
182
184
|
console.log('CodeSlick will automatically scan staged files before each commit.');
|
|
183
185
|
console.log('');
|
|
184
186
|
console.log('To scan files manually:');
|
|
185
|
-
console.log(' codeslick scan # Scan all files');
|
|
186
|
-
console.log(' codeslick scan --staged # Scan staged files only');
|
|
187
|
-
console.log(' codeslick scan src/**/*.js # Scan specific files');
|
|
187
|
+
console.log(' npx codeslick-cli scan # Scan all files');
|
|
188
|
+
console.log(' npx codeslick-cli scan --staged # Scan staged files only');
|
|
189
|
+
console.log(' npx codeslick-cli scan src/**/*.js # Scan specific files');
|
|
188
190
|
console.log('');
|
|
189
191
|
console.log('To skip the pre-commit hook temporarily:');
|
|
190
192
|
console.log(' git commit --no-verify');
|