codeslick-cli 1.0.0

package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js

@@ -0,0 +1,260 @@
+"use strict";
+/**
+ * JavaScript Injection Attack Detection Module
+ *
+ * Detects critical injection vulnerabilities:
+ * - Code injection (eval, Function constructor, setTimeout/setInterval)
+ * - SQL injection patterns
+ * - Command injection
+ * - Path traversal
+ * - Regex DoS (ReDoS)
+ *
+ * Part of modularized JavaScript analyzer (150-300 LOC per module)
+ * Extracted from monolithic javascript-analyzer.ts (2,672 LOC)
+ *
+ * @module injection-attacks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkInjectionAttacks = checkInjectionAttacks;
+/**
+ * Check for injection attack vulnerabilities in JavaScript code
+ *
+ * @param code - Full source code
+ * @param createVulnerability - Function to create vulnerability objects
+ * @returns Array of detected vulnerabilities
+ */
+function checkInjectionAttacks(code, createVulnerability) {
+    const vulnerabilities = [];
+    const lines = code.split('\n');
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comment blocks
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*')) {
+            return;
+        }
+        // OWASP A03:2021 - Injection
+        // 1. eval() - CRITICAL
+        const lineWithoutStrings = removeStringLiterals(trimmed);
+        if (lineWithoutStrings.includes('eval(')) {
+            vulnerabilities.push(createVulnerability('eval-usage', 'eval() allows arbitrary code execution', 'Use JSON.parse() for data or refactor code to avoid dynamic execution', lineNumber, 'An attacker can inject malicious code through any input that reaches eval(), enabling complete control over the application\'s execution context.', 'eval(userInput) where userInput = "require(\'child_process\').exec(\'rm -rf /\')"', [
+                'Remote Code Execution (RCE)',
+                'Complete system compromise',
+                'Data theft and exfiltration',
+                'Malware installation'
+            ], 'const result = eval(userInput);', 'const result = JSON.parse(userInput); // For data only', 'Replace eval() with JSON.parse() for data parsing, or refactor code to avoid dynamic execution entirely'));
+        }
+        // 2. Function constructor - HIGH
+        if (trimmed.match(/new\s+Function\s*\(/)) {
+            vulnerabilities.push(createVulnerability('function-constructor', 'Function constructor allows code injection similar to eval()', 'Avoid creating functions dynamically from strings', lineNumber, 'The Function constructor creates functions from strings at runtime, allowing arbitrary code execution if the input is attacker-controlled.', 'new Function(userInput)() where userInput = "return process.env"', [
+                'Code injection',
+                'Access to sensitive data',
+                'Bypass of security restrictions',
+                'Remote code execution in certain contexts'
+            ], 'const fn = new Function(userCode); fn();', '// Refactor to avoid dynamic code generation\n// Use predefined functions or safer alternatives', 'Eliminate dynamic function creation. Use predefined functions, configuration objects, or refactor the architecture'));
+        }
+        // 3. setTimeout/setInterval with strings or variables - MEDIUM
+        if (trimmed.match(/set(Timeout|Interval)\s*\(\s*['"]/) ||
+            trimmed.match(/set(Timeout|Interval)\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,/)) {
+            vulnerabilities.push(createVulnerability('settimeout-string', 'setTimeout/setInterval with string or code variable executes code like eval()', 'Use function reference or arrow function instead', lineNumber, 'Passing a string or variable containing code to setTimeout/setInterval causes it to be evaluated as code, similar to eval().', 'setTimeout("alert(userInput)", 1000) or setTimeout(code, 1000) where code/userInput is attacker-controlled', [
+                'Code injection via timing functions',
+                'XSS attacks',
+                'Bypass of CSP (Content Security Policy)'
+            ], 'setTimeout("doSomething()", 1000); // or setTimeout(code, 1000);', 'setTimeout(() => doSomething(), 1000);', 'Always pass a function reference or arrow function to setTimeout/setInterval, never a string or variable containing code'));
+        }
+        // 4. SQL Injection patterns - CRITICAL
+        if ((trimmed.match(/SELECT.*FROM.*WHERE.*[+`]/i) || trimmed.match(/SELECT.*FROM.*WHERE.*\$\{/i)) ||
+            trimmed.match(/query\s*=\s*[`'"].*\+/) ||
+            trimmed.match(/execute\(.*\+/)) {
+            vulnerabilities.push(createVulnerability('sql-injection', 'SQL Injection vulnerability detected', 'Use parameterized queries or prepared statements', lineNumber, 'An attacker can inject malicious SQL code through user input, bypassing authentication and accessing/modifying the entire database.', 'username = "admin\' OR \'1\'=\'1" results in: SELECT * FROM users WHERE username = \'admin\' OR \'1\'=\'1\'', [
+                'Full database access (read/write/delete)',
+                'Authentication bypass',
+                'Data exfiltration (passwords, credit cards, PII)',
+                'Data destruction (DROP TABLE attacks)',
+                'Privilege escalation'
+            ], 'const query = "SELECT * FROM users WHERE id = " + userId;', 'const query = "SELECT * FROM users WHERE id = ?";   \ndb.query(query, [userId]);', 'Use parameterized queries where inputs are passed as separate parameters, never concatenated into the SQL string'));
+        }
+        // 5. Command Injection - CRITICAL
+        if (trimmed.match(/exec\(|spawn\(|execFile\(/) && (trimmed.includes('+') || trimmed.includes('${'))) {
+            vulnerabilities.push(createVulnerability('command-injection', 'Command Injection vulnerability detected', 'Use execFile() with array arguments, validate/sanitize all inputs', lineNumber, 'Concatenating user input into shell commands allows attackers to execute arbitrary system commands with the application\'s privileges.', 'exec("ls " + userInput) where userInput = "; rm -rf /" executes malicious command', [
+                'Remote Code Execution (RCE)',
+                'Complete system compromise',
+                'Data deletion',
+                'Privilege escalation',
+                'Backdoor installation'
+            ], 'const { exec } = require("child_process");\nexec("ls " + userDir);', 'const { execFile } = require("child_process");\nexecFile("ls", [userDir]); // Arguments passed safely as array', 'Use execFile() with array of arguments, never concatenate strings. Validate all inputs against whitelist'));
+        }
+        // 6. Path Traversal - HIGH
+        if (trimmed.match(/readFile|writeFile|unlink|rmdir|createReadStream|createWriteStream/)) {
+            const hasTraversalPattern = trimmed.match(/\.\.\/|\.\.\\|\+.*path/);
+            const hasUserInput = trimmed.match(/req\.query|req\.body|req\.params|params\.|query\.|body\./);
+            if (hasTraversalPattern || hasUserInput) {
+                vulnerabilities.push(createVulnerability('path-traversal', 'Path Traversal vulnerability - unrestricted file access', 'Use path.resolve(), validate against whitelist, restrict to safe directories', lineNumber, 'Path traversal allows attackers to access files outside intended directories using "../" sequences or by directly passing malicious paths, potentially reading sensitive files like /etc/passwd, configuration files, or source code.', 'fs.readFile(req.query.filePath) where filePath = "../../../etc/passwd" // Attacker can read any file', [
+                    'Unauthorized file access',
+                    'Sensitive data exposure (passwords, keys, source code)',
+                    'Configuration file theft',
+                    'Potential for code execution if writable files accessed'
+                ], 'const content = fs.readFileSync(req.query.filePath);', 'const path = require("path");\nconst baseDir = "/safe/upload/directory";\nconst safePath = path.resolve(baseDir, req.query.filePath);\nif (!safePath.startsWith(baseDir)) {\n  throw new Error("Invalid path - traversal detected");\n}\nconst content = fs.readFileSync(safePath);', 'Always resolve and validate paths using path.resolve(). Verify the resolved path starts with your allowed base directory. Never trust user input directly in file operations'));
+            }
+        }
+        // 7. Regex DoS (ReDoS) - MEDIUM
+        if (trimmed.match(/new\s+RegExp|\/.*\(.*\)/)) {
+            const nestedQuantInside = trimmed.match(/\([^)]*[+*][^)]*\)[+*]/);
+            const redundantQuantifier = trimmed.match(/\(\[[^\]]+\]\)[+*]/);
+            const complexGroupQuant = trimmed.match(/\([^)]{3,}\)[+*]/);
+            if (nestedQuantInside || redundantQuantifier || (complexGroupQuant && nestedQuantInside)) {
+                vulnerabilities.push(createVulnerability('regex-dos', 'Regular expression with nested/redundant quantifiers can cause ReDoS', 'Simplify regex pattern: use [a-z]+ instead of ([a-z])+, or use timeout/safe-regex libraries', lineNumber, 'Regular expressions with nested quantifiers can have exponential time complexity, allowing attackers to cause Denial of Service with carefully crafted input. Patterns like ([a-z])+ are redundant and should be simplified to [a-z]+.', 'const regex = /^([a-z0-9_])+@/; // Redundant - testing "aaa...aX" causes backtracking', [
+                    'Denial of Service (DoS)',
+                    'Application freeze/timeout',
+                    'Resource exhaustion',
+                    'Service unavailability'
+                ], 'const regex = /^([a-z0-9_])+@/;', 'const regex = /^[a-z0-9_]+@/; // Simplified - no nested quantifiers', 'Simplify regex patterns to avoid nested quantifiers. Use [a-z]+ instead of ([a-z])+. Consider using safe-regex or regex-dos libraries to validate patterns'));
+            }
+        }
+        // =============================================================================
+        // PHASE B - Server-Side Template Injection (SSTI) (Dec 21, 2025)
+        // =============================================================================
+        // 8. SSTI - Server-Side Template Injection - CRITICAL
+        // Pattern: Handlebars.compile(userInput), Pug.compile(), EJS.render(), etc.
+        // Detects template compilation with user-controlled input
+        const templateMethods = [
+            'Handlebars.compile',
+            'Pug.compile',
+            'EJS.render',
+            'Nunjucks.renderString',
+            'res.render'
+        ];
+        for (const method of templateMethods) {
+            if (trimmed.includes(method)) {
+                // Check for user input being passed to template method
+                const hasUserInput = trimmed.includes('req.body') ||
+                    trimmed.includes('req.query') ||
+                    trimmed.includes('req.params') ||
+                    trimmed.includes('request.body') ||
+                    trimmed.includes('request.query') ||
+                    trimmed.includes('request.params');
+                if (hasUserInput) {
+                    vulnerabilities.push(createVulnerability('ssti', `Server-Side Template Injection via ${method}() with user-controlled template`, 'Never compile user input as templates - only use user data in template variables', lineNumber, `Template engines like Handlebars, Pug, EJS, and Nunjucks execute code when compiling templates. If attackers control the template string, they can inject template expressions that execute arbitrary code on the server, leading to Remote Code Execution (RCE).`, `${method}(req.body.template) // Attack: template = "{{constructor.constructor('return process.env')()}}" exposes all environment variables including secrets`, [
+                        'Remote Code Execution (RCE)',
+                        'Complete server takeover',
+                        'Environment variable disclosure (API keys, secrets)',
+                        'File system access and data exfiltration',
+                        'Denial of Service (infinite loops)',
+                        'Lateral movement to other services'
+                    ], `const template = req.query.template;\nconst compiled = ${method}(template); // User controls template code!`, `// NEVER compile user input as templates\n// Use user input only as data in pre-defined templates:\nconst template = ${method}('Hello {{name}}'); // Safe: template is hardcoded\nconst result = template({ name: req.body.name }); // User data in variables only`, 'Never allow user input to be used as template code. Always use pre-defined, hardcoded templates and only pass user data as template variables. For dynamic content, use parameterized templates with user input in data context, never in template strings.'));
+                }
+            }
+        }
+        // =============================================================================
+        // 9. LDAP Injection - CRITICAL
+        // Pattern: LDAP filter construction with user input via template literals or concatenation
+        // Detects: client.search() with user-controlled filters OR filter variable assignments
+        // =============================================================================
+        // Pattern 1: Filter variable assignment with template literal + user input
+        // const filter = `(uid=${req.body.username})`;
+        // const dn = `uid=${req.body.user},ou=users,dc=example,dc=com`;
+        const hasFilterAssignment = (trimmed.match(/filter\s*[:=]\s*`[^`]*\$\{/) ||
+            trimmed.match(/dn\s*[:=]\s*`[^`]*\$\{/)) &&
+            (trimmed.includes('req.body') ||
+                trimmed.includes('req.query') ||
+                trimmed.includes('req.params'));
+        // Pattern 2: String concatenation in filter
+        // const filter = "(uid=" + req.body.username + ")";
+        const hasFilterConcat = (trimmed.match(/filter\s*[:=]\s*['"][^'"]*['"]?\s*\+/) ||
+            trimmed.match(/dn\s*[:=]\s*['"][^'"]*['"]?\s*\+/)) &&
+            (trimmed.includes('req.body') ||
+                trimmed.includes('req.query') ||
+                trimmed.includes('req.params'));
+        // Pattern 3: LDAP method with inline template literal filter
+        // client.search('ou=users', { filter: `(uid=${username})` })
+        const hasLDAPMethodWithFilter = trimmed.match(/\.(search|searchOne|bind)\s*\(/) &&
+            trimmed.match(/filter\s*:\s*`[^`]*\$\{/) &&
+            (trimmed.includes('req.body') ||
+                trimmed.includes('req.query') ||
+                trimmed.includes('req.params'));
+        if (hasFilterAssignment || hasFilterConcat || hasLDAPMethodWithFilter) {
+            vulnerabilities.push(createVulnerability('ldap-injection', `LDAP Injection via filter construction with user input`, 'Use parameterized LDAP queries or escape LDAP special characters', lineNumber, 'LDAP queries constructed with unescaped user input allow attackers to manipulate the query logic by injecting LDAP filter operators like *, (, ), &, |, or !. This can bypass authentication, access unauthorized data, or enumerate directory information.', 'const filter = `(uid=${req.body.username})`; // Attack: username = "*)(uid=*))(|(uid=*" bypasses authentication and returns all users', [
+                'Authentication bypass (login as any user)',
+                'Unauthorized data access (read sensitive directory information)',
+                'Directory enumeration (discover user accounts, groups)',
+                'Privilege escalation (access admin accounts)',
+                'Information disclosure (enumerate organizational structure)'
+            ], 'const filter = `(uid=${req.body.username})`;\nclient.search(baseDN, { filter }); // Vulnerable', 'import { escape } from "ldap-escape";\nconst safeUsername = escape.filter(req.body.username);\nconst filter = `(uid=${safeUsername})`;\nclient.search(baseDN, { filter }); // Safe: user input escaped', 'Always escape LDAP special characters (*, (, ), &, |, !, =, >, <, ~) in user input before using in filters. Use ldap-escape library or equivalent. Consider using parameterized queries if your LDAP library supports them.'));
+        }
+    });
+    return vulnerabilities;
+}
+/**
+ * Helper: Remove string literals from a line for analysis
+ * Replaces content inside strings ('...', "...", `...`) with spaces
+ *
+ * @param line - Line of code to clean
+ * @returns Line with string content replaced by spaces
+ */
+function removeStringLiterals(line) {
+    let result = '';
+    let inString = false;
+    let stringChar = '';
+    let inTemplate = false;
+    let escaped = false;
+    for (let i = 0; i < line.length; i++) {
+        const char = line[i];
+        // Handle escape sequences
+        if (escaped) {
+            result += ' ';
+            escaped = false;
+            continue;
+        }
+        if (char === '\\' && (inString || inTemplate)) {
+            escaped = true;
+            result += ' ';
+            continue;
+        }
+        // Template literal handling
+        if (char === '`') {
+            if (!inString) {
+                inTemplate = !inTemplate;
+                result += char;
+            }
+            else {
+                result += ' ';
+            }
+            continue;
+        }
+        // String literal handling
+        if ((char === '"' || char === "'") && !inTemplate) {
+            if (!inString) {
+                inString = true;
+                stringChar = char;
+                result += char;
+            }
+            else if (char === stringChar) {
+                inString = false;
+                stringChar = '';
+                result += char;
+            }
+            else {
+                result += ' ';
+            }
+            continue;
+        }
+        // Replace string content with spaces
+        if (inString || inTemplate) {
+            result += ' ';
+        }
+        else {
+            result += char;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=injection-attacks.js.map

package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;AA+BH,sDAsSC;AA7SD;;;;;;GAMG;AACH,SAAgB,qBAAqB,CACnC,IAAY,EACZ,mBAA0C;IAE1C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kCAAkC;QAClC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1F,OAAO;QACT,CAAC;QAED,6BAA6B;QAC7B,uBAAuB;QACvB,MAAM,kBAAkB,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACzD,IAAI,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,YAAY,EACZ,wCAAwC,EACxC,uEAAuE,EACvE,UAAU,EACV,mJAAmJ,EACnJ,mFAAmF,EACnF;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,6BAA6B;gBAC7B,sBAAsB;aACvB,EACD,iCAAiC,EACjC,wDAAwD,EACxD,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,sBAAsB,EACtB,8DAA8D,EAC9D,mDAAmD,EACnD,UAAU,EACV,4IAA4I,EAC5I,kEAAkE,EAClE;gBACE,gBAAgB;gBAChB,0BAA0B;gBAC1B,iCAAiC;gBACjC,2CAA2C;aAC5C,EACD,0CAA0C,EAC1C,iGAAiG,EACjG,oHAAoH,CACrH,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,EAAE,CAAC;YAC/E,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,mBAAmB,EACnB,+EAA+E,EAC/E,kDAAkD,EAClD,UAAU,EACV,8HAA8H,EAC9H,4GAA4G,EAC5G;gBACE,qCAAqC;gBACrC,aAAa;gBACb,yCAAyC;aAC1C,EACD,kEAAkE,EAClE,wCAAwC,EACxC,0HAA0H,CAC3H,CAAC,CAAC;QACL,CAAC;QAED,uCAAuC;QACvC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC,CAAC;YAC5F,OAAO,CAAC,KAAK,CAAC,uBAAuB,CAAC;YACtC,OAAO,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;YACnC,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,eAAe,EACf,sCAAsC,EACtC,kDAAkD,EAClD,UAAU,EACV,qIAAqI,EACrI,6GAA6G,EAC7G;gBACE,0CAA0C;gBAC1C,uBAAuB;gBACvB,kDAAkD;gBAClD,uCAAuC;gBACvC,sBAAsB;aACvB,EACD,2DAA2D,EAC3D,kFAAkF,EAClF,kHAAkH,CACnH,CAAC,CAAC;QACL,CAAC;QAED,kCAAkC;QAClC,IAAI,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACpG,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,mBAAmB,EACnB,0CAA0C,EAC1C,mEAAmE,EACnE,UAAU,EACV,wIAAwI,EACxI,mFAAmF,EACnF;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,eAAe;gBACf,sBAAsB;gBACtB,uBAAuB;aACxB,EACD,oEAAoE,EACpE,gHAAgH,EAChH,0GAA0G,CAC3G,CAAC,CAAC;QACL,CAAC;QAED,2BAA2B;QAC3B,IAAI,OAAO,CAAC,KAAK,CAAC,oEAAoE,CAAC,EAAE,CAAC;YACxF,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;YAE/F,IAAI,mBAAmB,IAAI,YAAY,EAAE,CAAC;gBACxC,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,gBAAgB,EAChB,yDAAyD,EACzD,8EAA8E,EAC9E,UAAU,EACV,uOAAuO,EACvO,sGAAsG,EACtG;oBACE,0BAA0B;oBAC1B,wDAAwD;oBACxD,0BAA0B;oBAC1B,yDAAyD;iBAC1D,EACD,sDAAsD,EACtD,qRAAqR,EACrR,8KAA8K,CAC/K,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gCAAgC;QAChC,IAAI,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,EAAE,CAAC;YAC7C,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;YAClE,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAChE,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;YAE5D,IAAI,iBAAiB,IAAI,mBAAmB,IAAI,CAAC,iBAAiB,IAAI,iBAAiB,CAAC,EAAE,CAAC;gBACzF,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,WAAW,EACX,sEAAsE,EACtE,6FAA6F,EAC7F,UAAU,EACV,wOAAwO,EACxO,uFAAuF,EACvF;oBACE,yBAAyB;oBACzB,4BAA4B;oBAC5B,qBAAqB;oBACrB,wBAAwB;iBACzB,EACD,iCAAiC,EACjC,qEAAqE,EACrE,4JAA4J,CAC7J,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,iEAAiE;QACjE,gFAAgF;QAEhF,sDAAsD;QACtD,4EAA4E;QAC5E,0DAA0D;QAC1D,MAAM,eAAe,GAAG;YACtB,oBAAoB;YACpB,aAAa;YACb,YAAY;YACZ,uBAAuB;YACvB,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,uDAAuD;gBACvD,MAAM,YAAY,GAChB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAC5B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAC9B,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC;oBAChC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;oBACjC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;gBAErC,IAAI,YAAY,EAAE,CAAC;oBACjB,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,MAAM,EACN,sCAAsC,MAAM,kCAAkC,EAC9E,kFAAkF,EAClF,UAAU,EACV,mQAAmQ,EACnQ,GAAG,MAAM,qJAAqJ,EAC9J;wBACE,6BAA6B;wBAC7B,0BAA0B;wBAC1B,qDAAqD;wBACrD,0CAA0C;wBAC1C,oCAAoC;wBACpC,oCAAoC;qBACrC,EACD,0DAA0D,MAAM,6CAA6C,EAC7G,wHAAwH,MAAM,sIAAsI,EACpQ,6PAA6P,CAC9P,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,+BAA+B;QAC/B,2FAA2F;QAC3F,uFAAuF;QACvF,gFAAgF;QAEhF,2EAA2E;QAC3E,+CAA+C;QAC/C,gEAAgE;QAChE,MAAM,mBAAmB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;YACzC,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC5B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;QAE9D,4CAA4C;QAC5C,oDAAoD;QACpD,MAAM,eAAe,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC;YACpD,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;YACnD,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC5B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;QAE1D,6DAA6D;QAC7D,6DAA6D;QAC7D,MAAM,uBAAuB,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC;YAC9C,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC;YACxC,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC5B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;gBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;QAElE,IAAI,mBAAmB,IAAI,eAAe,IAAI,uBAAuB,EAAE,CAAC;YACtE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CACtC,gBAAgB,EAChB,wDAAwD,EACxD,kEAAkE,EAClE,UAAU,EACV,6PAA6P,EAC7P,uIAAuI,EACvI;gBACE,2CAA2C;gBAC3C,iEAAiE;gBACjE,wDAAwD;gBACxD,8CAA8C;gBAC9C,6DAA6D;aAC9D,EACD,gGAAgG,EAChG,wMAAwM,EACxM,6NAA6N,CAC9N,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,oBAAoB,CAAC,IAAY;IACxC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,UAAU,GAAG,EAAE,CAAC;IACpB,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAErB,0BAA0B;QAC1B,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,IAAI,GAAG,CAAC;YACd,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QAED,IAAI,IAAI,KAAK,IAAI,IAAI,CAAC,QAAQ,IAAI,UAAU,CAAC,EAAE,CAAC;YAC9C,OAAO,GAAG,IAAI,CAAC;YACf,MAAM,IAAI,GAAG,CAAC;YACd,SAAS;QACX,CAAC;QAED,4BAA4B;QAC5B,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YACjB,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,UAAU,GAAG,CAAC,UAAU,CAAC;gBACzB,MAAM,IAAI,IAAI,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,CAAC;YAChB,CAAC;YACD,SAAS;QACX,CAAC;QAED,0BAA0B;QAC1B,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YAClD,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,IAAI,CAAC;gBAChB,UAAU,GAAG,IAAI,CAAC;gBAClB,MAAM,IAAI,IAAI,CAAC;YACjB,CAAC;iBAAM,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;gBAC/B,QAAQ,GAAG,KAAK,CAAC;gBACjB,UAAU,GAAG,EAAE,CAAC;gBAChB,MAAM,IAAI,IAAI,CAAC;YACjB,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,CAAC;YAChB,CAAC;YACD,SAAS;QACX,CAAC;QAED,qCAAqC;QACrC,IAAI,QAAQ,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM,IAAI,GAAG,CAAC;QAChB,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,IAAI,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts

@@ -0,0 +1,26 @@
+/**
+ * JavaScript Insecure Design Security Checks
+ * OWASP A04:2025 - Insecure Design
+ *
+ * Detects business logic flaws and design-level security issues.
+ * This is a NEW category in OWASP 2025 that focuses on fundamental design flaws
+ * rather than implementation bugs.
+ *
+ * Created: Dec 30, 2025
+ * Purpose: Detect business logic vulnerabilities that can't be caught by traditional security scanners
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for insecure design vulnerabilities in JavaScript code
+ *
+ * Covers:
+ * - Check #1: Client-controlled pricing/discounts (CRITICAL)
+ * - Check #2: Client-controlled quantity/amounts in financial operations (HIGH)
+ * - Check #3: Missing business rule validation (MEDIUM)
+ * - Check #4: Race conditions in state-changing operations (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkInsecureDesign(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=insecure-design.d.ts.map

package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-design.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/insecure-design.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA2NzB"}

package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js

@@ -0,0 +1,164 @@
+"use strict";
+/**
+ * JavaScript Insecure Design Security Checks
+ * OWASP A04:2025 - Insecure Design
+ *
+ * Detects business logic flaws and design-level security issues.
+ * This is a NEW category in OWASP 2025 that focuses on fundamental design flaws
+ * rather than implementation bugs.
+ *
+ * Created: Dec 30, 2025
+ * Purpose: Detect business logic vulnerabilities that can't be caught by traditional security scanners
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkInsecureDesign = checkInsecureDesign;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for insecure design vulnerabilities in JavaScript code
+ *
+ * Covers:
+ * - Check #1: Client-controlled pricing/discounts (CRITICAL)
+ * - Check #2: Client-controlled quantity/amounts in financial operations (HIGH)
+ * - Check #3: Missing business rule validation (MEDIUM)
+ * - Check #4: Race conditions in state-changing operations (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkInsecureDesign(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // Track multi-line comment blocks (/* ... */)
+        if (trimmedLine.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmedLine.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('//') ||
+            trimmedLine.startsWith('*')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: Client-controlled pricing/discounts
+        // Pattern: const { price, discount, amount } = req.body; finalPrice = price - discount;
+        // This is a critical business logic flaw
+        const financialFieldsPattern = /(price|discount|amount|total|subtotal|finalprice|cost)\s*[=:]/i;
+        const reqBodyPattern = /req\.body\.(price|discount|amount|total|subtotal|finalprice|cost)/i;
+        const destructurePattern = /\{\s*(price|discount|amount|total|subtotal|finalprice|cost)[,\s\}]/i;
+        if ((trimmedLine.match(destructurePattern) && trimmedLine.includes('req.body')) ||
+            trimmedLine.match(reqBodyPattern)) {
+            // Check next 15 lines for direct calculation without validation
+            const nextLines = lines.slice(index, Math.min(index + 15, lines.length));
+            const hasCalculation = nextLines.some(l => {
+                const lowerNextLine = l.toLowerCase();
+                return ((lowerNextLine.includes('price') && (lowerNextLine.includes('-') || lowerNextLine.includes('*'))) ||
+                    (lowerNextLine.includes('discount') && (lowerNextLine.includes('-') || lowerNextLine.includes('*'))) ||
+                    (lowerNextLine.includes('amount') && (lowerNextLine.includes('-') || lowerNextLine.includes('*'))));
+            });
+            // Check if there's validation
+            const hasValidation = nextLines.some(l => {
+                const lowerNextLine = l.toLowerCase();
+                return (lowerNextLine.includes('validate') ||
+                    lowerNextLine.includes('verify') ||
+                    lowerNextLine.includes('check') ||
+                    (lowerNextLine.includes('if') && (lowerNextLine.includes('>') || lowerNextLine.includes('<'))) ||
+                    lowerNextLine.includes('max') ||
+                    lowerNextLine.includes('min') ||
+                    lowerNextLine.includes('throw') ||
+                    lowerNextLine.includes('error'));
+            });
+            if (hasCalculation && !hasValidation) {
+                vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('client-controlled-pricing', 'CRITICAL: Client controls pricing/discount - attackers can set $0 prices or negative discounts', 'Validate ALL financial values server-side against business rules. Never trust client-provided prices/discounts.', index + 1, 'Trusting client-provided pricing, discounts, or amounts allows attackers to manipulate financial calculations. An attacker can set price=0, discount=1000000, or amount=-1000 to steal money or get free products.', 'const { price, discount } = req.body; finalPrice = price - discount; → Attacker sends { price: 0.01, discount: -1000000 } to get money', [
+                    'Financial fraud - attacker gets products for $0',
+                    'Negative pricing attacks - attacker gets paid to take products',
+                    'Business revenue loss',
+                    'Accounting manipulation',
+                    'Regulatory violations (SOX, PCI-DSS)',
+                    'Business logic bypass for discounts/promotions'
+                ], 'const { price, discount } = req.body;\nconst finalPrice = price - discount;', '// Server-side: Fetch actual price from database\nconst product = await db.products.findById(productId);\nconst discount = validateDiscount(req.body.discountCode); // Validate discount code\nif (discount < 0 || discount > product.price) throw new Error("Invalid discount");\nconst finalPrice = product.price - discount;', 'Never trust client-provided financial values. Always fetch prices from server-side database and validate all calculations against business rules.'));
+            }
+        }
+        // Check #2: Client-controlled quantity in financial operations
+        // Pattern: const { quantity } = req.body; totalPrice = price * quantity; (without max quantity check)
+        if (lowerLine.includes('quantity') && lowerLine.includes('req.body')) {
+            const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
+            const hasMultiplication = nextLines.some(l => l.toLowerCase().includes('quantity') && l.includes('*'));
+            const hasMaxCheck = nextLines.some(l => {
+                const lowerNextLine = l.toLowerCase();
+                return ((lowerNextLine.includes('quantity') && (lowerNextLine.includes('>') || lowerNextLine.includes('max'))) ||
+                    lowerNextLine.includes('maxquantity') ||
+                    lowerNextLine.includes('max_quantity'));
+            });
+            if (hasMultiplication && !hasMaxCheck) {
+                vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('uncapped-quantity', 'Client-controlled quantity without max limit - enables DoS and overflow attacks', 'Enforce maximum quantity limits (e.g., max 100 per order) to prevent abuse', index + 1, 'Allowing unlimited client-controlled quantities can cause integer overflows, database exhaustion, and denial of service attacks.', 'const { quantity } = req.body; totalPrice = price * quantity; → Attacker sends quantity=999999999999 causing overflow or system crash', [
+                    'Integer overflow in price calculations',
+                    'Denial of Service via resource exhaustion',
+                    'Inventory manipulation',
+                    'Database overload',
+                    'Memory exhaustion'
+                ], 'const { quantity } = req.body;\nconst totalPrice = price * quantity;', 'const { quantity } = req.body;\nconst MAX_QUANTITY = 100;\nif (quantity < 1 || quantity > MAX_QUANTITY) {\n  return res.status(400).send("Invalid quantity");\n}\nconst totalPrice = price * quantity;', 'Always enforce reasonable maximum limits on client-provided quantities to prevent abuse and overflow attacks.'));
+            }
+        }
+        // Check #3: Race conditions in state-changing operations
+        // Pattern: balance checks without atomic operations (check-then-act)
+        // Example: if (balance >= amount) { balance -= amount; } (vulnerable to TOCTOU)
+        const balanceCheckPattern = /if\s*\(\s*(balance|currentBalance|account\.balance)\s*>=?\s*(amount|withdrawAmount|price)/i;
+        if (trimmedLine.match(balanceCheckPattern)) {
+            // Check if there's a transaction/lock mechanism
+            const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
+            const hasAtomicOperation = nextLines.some(l => {
+                const lowerNextLine = l.toLowerCase();
+                return (lowerNextLine.includes('transaction') ||
+                    lowerNextLine.includes('lock') ||
+                    lowerNextLine.includes('atomic') ||
+                    lowerNextLine.includes('$inc') || // MongoDB atomic
+                    lowerNextLine.includes('increment') ||
+                    lowerNextLine.includes('decrement'));
+            });
+            if (!hasAtomicOperation) {
+                vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('race-condition-toctou', 'Race condition (TOCTOU): Balance check not atomic - double-spending possible', 'Use atomic database operations or transactions to prevent race conditions', index + 1, 'Time-Of-Check-Time-Of-Use (TOCTOU) race conditions occur when checking a value and then acting on it in separate steps. Between the check and the action, the value can change, allowing double-spending and other race condition exploits.', 'if (balance >= amount) { balance -= amount; } → Two concurrent requests both pass the check before either updates balance, allowing double-spending', [
+                    'Double-spending attacks',
+                    'Overdraft exploitation',
+                    'Inventory overselling',
+                    'Account balance manipulation',
+                    'Concurrent request exploitation'
+                ], 'if (user.balance >= amount) {\n  user.balance -= amount; // Race condition!\n  await user.save();\n}', '// Use atomic database operations\nawait User.updateOne(\n  { _id: userId, balance: { $gte: amount } },\n  { $inc: { balance: -amount } }\n);\n// OR use database transactions', 'Use atomic operations or database transactions to prevent race conditions in concurrent scenarios.'));
+            }
+        }
+        // Check #4: Sequential operation without idempotency key
+        // Pattern: Payment processing without idempotency check
+        const paymentPattern = /(charge|payment|transfer|transaction|bill|invoice)\s*\(/i;
+        const paymentRoutePattern = /\.(post|put)\s*\(\s*['"`].*\/(payment|charge|checkout|purchase|buy|order)/i;
+        if (trimmedLine.match(paymentPattern) || trimmedLine.match(paymentRoutePattern)) {
+            // Check for idempotency key validation
+            const contextLines = lines.slice(Math.max(0, index - 5), Math.min(index + 10, lines.length));
+            const hasIdempotencyCheck = contextLines.some(l => {
+                const lowerContextLine = l.toLowerCase();
+                return (lowerContextLine.includes('idempotency') ||
+                    lowerContextLine.includes('requestid') ||
+                    lowerContextLine.includes('request_id') ||
+                    lowerContextLine.includes('transactionid') ||
+                    lowerContextLine.includes('transaction_id') ||
+                    (lowerContextLine.includes('cache') && lowerContextLine.includes('check')));
+            });
+            if (!hasIdempotencyCheck) {
+                vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)('missing-idempotency', 'Payment operation without idempotency - duplicate charges possible from retries', 'Implement idempotency keys to prevent duplicate transactions on retries', index + 1, 'Payment and financial operations without idempotency protection can result in duplicate charges when users retry failed requests or network issues cause duplicate requests.', 'app.post("/charge", async (req, res) => stripe.charges.create(...)) → Network timeout causes retry, charging customer twice', [
+                    'Duplicate payment charges',
+                    'Customer overcharging',
+                    'Financial reconciliation issues',
+                    'Chargeback risks',
+                    'Customer trust erosion'
+                ], 'app.post("/charge", async (req, res) => {\n  await stripe.charges.create({ amount, currency });\n});', 'app.post("/charge", async (req, res) => {\n  const idempotencyKey = req.headers["idempotency-key"];\n  if (!idempotencyKey) return res.status(400).send("Missing idempotency key");\n  \n  // Check if already processed\n  const existing = await cache.get(idempotencyKey);\n  if (existing) return res.json(existing);\n  \n  const charge = await stripe.charges.create({ amount, currency }, { idempotencyKey });\n  await cache.set(idempotencyKey, charge, 86400); // 24h TTL\n  res.json(charge);\n});', 'Always implement idempotency for payment and state-changing operations to prevent duplicate processing from retries.'));
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=insecure-design.js.map

package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-design.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/insecure-design.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAiBH,kDA6NC;AA3OD,sEAAqF;AAErF;;;;;;;;;;;GAWG;AACH,SAAgB,mBAAmB,CACjC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,8CAA8C;QAC9C,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,gDAAgD;QAChD,wFAAwF;QACxF,yCAAyC;QACzC,MAAM,sBAAsB,GAAG,gEAAgE,CAAC;QAChG,MAAM,cAAc,GAAG,oEAAoE,CAAC;QAC5F,MAAM,kBAAkB,GAAG,qEAAqE,CAAC;QAEjG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,kBAAkB,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC3E,WAAW,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAEtC,gEAAgE;YAChE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACxC,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,OAAO,CACL,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;oBACjG,CAAC,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;oBACpG,CAAC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CACnG,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,8BAA8B;YAC9B,MAAM,aAAa,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACvC,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,OAAO,CACL,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAClC,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAC/B,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC9F,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC7B,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC;oBAC7B,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC;oBAC/B,aAAa,CAAC,QAAQ,CAAC,OAAO,CAAC,CAChC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,cAAc,IAAI,CAAC,aAAa,EAAE,CAAC;gBACrC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,2BAA2B,EAC3B,gGAAgG,EAChG,iHAAiH,EACjH,KAAK,GAAG,CAAC,EACT,oNAAoN,EACpN,wIAAwI,EACxI;oBACE,iDAAiD;oBACjD,gEAAgE;oBAChE,uBAAuB;oBACvB,yBAAyB;oBACzB,sCAAsC;oBACtC,gDAAgD;iBACjD,EACD,6EAA6E,EAC7E,iUAAiU,EACjU,mJAAmJ,CACpJ,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,sGAAsG;QACtG,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrE,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC3C,CAAC,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CACxD,CAAC;YAEF,MAAM,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBACrC,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,OAAO,CACL,CAAC,aAAa,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,aAAa,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC;oBACtG,aAAa,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACrC,aAAa,CAAC,QAAQ,CAAC,cAAc,CAAC,CACvC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,iBAAiB,IAAI,CAAC,WAAW,EAAE,CAAC;gBACtC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,iFAAiF,EACjF,4EAA4E,EAC5E,KAAK,GAAG,CAAC,EACT,kIAAkI,EAClI,uIAAuI,EACvI;oBACE,wCAAwC;oBACxC,2CAA2C;oBAC3C,wBAAwB;oBACxB,mBAAmB;oBACnB,mBAAmB;iBACpB,EACD,sEAAsE,EACtE,wMAAwM,EACxM,+GAA+G,CAChH,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,qEAAqE;QACrE,gFAAgF;QAChF,MAAM,mBAAmB,GAAG,4FAA4F,CAAC;QAEzH,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAC3C,gDAAgD;YAChD,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YACzE,MAAM,kBAAkB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC5C,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACtC,OAAO,CACL,aAAa,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACrC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC;oBAC9B,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAChC,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,iBAAiB;oBACnD,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACnC,aAAa,CAAC,QAAQ,CAAC,WAAW,CAAC,CACpC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,8EAA8E,EAC9E,2EAA2E,EAC3E,KAAK,GAAG,CAAC,EACT,6OAA6O,EAC7O,qJAAqJ,EACrJ;oBACE,yBAAyB;oBACzB,wBAAwB;oBACxB,uBAAuB;oBACvB,8BAA8B;oBAC9B,iCAAiC;iBAClC,EACD,sGAAsG,EACtG,gLAAgL,EAChL,oGAAoG,CACrG,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,wDAAwD;QACxD,MAAM,cAAc,GAAG,0DAA0D,CAAC;QAClF,MAAM,mBAAmB,GAAG,4EAA4E,CAAC;QAEzG,IAAI,WAAW,CAAC,KAAK,CAAC,cAAc,CAAC,IAAI,WAAW,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAChF,uCAAuC;YACvC,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7F,MAAM,mBAAmB,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAChD,MAAM,gBAAgB,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBACzC,OAAO,CACL,gBAAgB,CAAC,QAAQ,CAAC,aAAa,CAAC;oBACxC,gBAAgB,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACtC,gBAAgB,CAAC,QAAQ,CAAC,YAAY,CAAC;oBACvC,gBAAgB,CAAC,QAAQ,CAAC,eAAe,CAAC;oBAC1C,gBAAgB,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBAC3C,CAAC,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,gBAAgB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAC3E,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBACzB,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,qBAAqB,EACrB,iFAAiF,EACjF,yEAAyE,EACzE,KAAK,GAAG,CAAC,EACT,8KAA8K,EAC9K,6HAA6H,EAC7H;oBACE,2BAA2B;oBAC3B,uBAAuB;oBACvB,iCAAiC;oBACjC,kBAAkB;oBAClB,wBAAwB;iBACzB,EACD,sGAAsG,EACtG,gfAAgf,EAChf,sHAAsH,CACvH,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts

@@ -0,0 +1,26 @@
+/**
+ * JavaScript Security Misconfiguration Checks
+ * OWASP A02:2025 - Security Misconfiguration
+ *
+ * Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
+ * Focus: Cloud configs, app settings, security headers, debug modes, etc.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for security misconfiguration vulnerabilities in JavaScript code
+ *
+ * Covers:
+ * - Check #1: Debug mode enabled in production (MEDIUM)
+ * - Check #2: Detailed error messages exposed (MEDIUM)
+ * - Check #3: CORS misconfiguration allowing all origins (HIGH)
+ * - Check #4: Missing security headers (MEDIUM)
+ * - Check #5: Insecure session configuration (MEDIUM)
+ * - Check #6: Default credentials usage (CRITICAL)
+ * - Check #7: Administrative interfaces exposed (HIGH)
+ * - Check #8: Unnecessary HTTP methods enabled (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkSecurityMisconfiguration(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=security-misconfiguration.d.ts.map

package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-misconfiguration.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/security-misconfiguration.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAm0BzB"}