codeslick-cli 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +458 -0
- package/__tests__/cli-reporter.test.ts +86 -0
- package/__tests__/config-loader.test.ts +247 -0
- package/__tests__/local-scanner.test.ts +245 -0
- package/bin/codeslick.cjs +153 -0
- package/dist/packages/cli/src/commands/auth.d.ts +36 -0
- package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/auth.js +226 -0
- package/dist/packages/cli/src/commands/auth.js.map +1 -0
- package/dist/packages/cli/src/commands/config.d.ts +37 -0
- package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/config.js +196 -0
- package/dist/packages/cli/src/commands/config.js.map +1 -0
- package/dist/packages/cli/src/commands/init.d.ts +32 -0
- package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/init.js +171 -0
- package/dist/packages/cli/src/commands/init.js.map +1 -0
- package/dist/packages/cli/src/commands/scan.d.ts +40 -0
- package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/scan.js +204 -0
- package/dist/packages/cli/src/commands/scan.js.map +1 -0
- package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
- package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
- package/dist/packages/cli/src/config/config-loader.js +146 -0
- package/dist/packages/cli/src/config/config-loader.js.map +1 -0
- package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
- package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
- package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
- package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
- package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
- package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
- package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
- package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
- package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
- package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
- package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
- package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
- package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
- package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
- package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
- package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
- package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
- package/dist/src/lib/analyzers/types.d.ts +92 -0
- package/dist/src/lib/analyzers/types.d.ts.map +1 -0
- package/dist/src/lib/analyzers/types.js +3 -0
- package/dist/src/lib/analyzers/types.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
- package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
- package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
- package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
- package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
- package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
- package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
- package/dist/src/lib/security/compliance-mapping.js +1342 -0
- package/dist/src/lib/security/compliance-mapping.js.map +1 -0
- package/dist/src/lib/security/severity-scoring.d.ts +47 -0
- package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
- package/dist/src/lib/security/severity-scoring.js +965 -0
- package/dist/src/lib/security/severity-scoring.js.map +1 -0
- package/dist/src/lib/standards/references.d.ts +16 -0
- package/dist/src/lib/standards/references.d.ts.map +1 -0
- package/dist/src/lib/standards/references.js +1161 -0
- package/dist/src/lib/standards/references.js.map +1 -0
- package/dist/src/lib/types/index.d.ts +167 -0
- package/dist/src/lib/types/index.d.ts.map +1 -0
- package/dist/src/lib/types/index.js +3 -0
- package/dist/src/lib/types/index.js.map +1 -0
- package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
- package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
- package/dist/src/lib/utils/code-cleaner.js +283 -0
- package/dist/src/lib/utils/code-cleaner.js.map +1 -0
- package/package.json +51 -0
- package/src/commands/auth.ts +308 -0
- package/src/commands/config.ts +226 -0
- package/src/commands/init.ts +202 -0
- package/src/commands/scan.ts +238 -0
- package/src/config/config-loader.ts +175 -0
- package/src/reporters/cli-reporter.ts +282 -0
- package/src/scanner/local-scanner.ts +250 -0
- package/tsconfig.json +24 -0
- package/tsconfig.tsbuildinfo +1 -0
|
@@ -0,0 +1,775 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* JavaScript Security Misconfiguration Checks
|
|
4
|
+
* OWASP A02:2025 - Security Misconfiguration
|
|
5
|
+
*
|
|
6
|
+
* Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
|
|
7
|
+
* Focus: Cloud configs, app settings, security headers, debug modes, etc.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.checkSecurityMisconfiguration = checkSecurityMisconfiguration;
|
|
11
|
+
const createVulnerability_1 = require("../utils/createVulnerability");
|
|
12
|
+
/**
|
|
13
|
+
* Checks for security misconfiguration vulnerabilities in JavaScript code
|
|
14
|
+
*
|
|
15
|
+
* Covers:
|
|
16
|
+
* - Check #1: Debug mode enabled in production (MEDIUM)
|
|
17
|
+
* - Check #2: Detailed error messages exposed (MEDIUM)
|
|
18
|
+
* - Check #3: CORS misconfiguration allowing all origins (HIGH)
|
|
19
|
+
* - Check #4: Missing security headers (MEDIUM)
|
|
20
|
+
* - Check #5: Insecure session configuration (MEDIUM)
|
|
21
|
+
* - Check #6: Default credentials usage (CRITICAL)
|
|
22
|
+
* - Check #7: Administrative interfaces exposed (HIGH)
|
|
23
|
+
* - Check #8: Unnecessary HTTP methods enabled (MEDIUM)
|
|
24
|
+
*
|
|
25
|
+
* @param lines - Array of code lines
|
|
26
|
+
* @returns Array of security vulnerabilities found
|
|
27
|
+
*/
|
|
28
|
+
function checkSecurityMisconfiguration(lines) {
|
|
29
|
+
const vulnerabilities = [];
|
|
30
|
+
let inMultiLineComment = false;
|
|
31
|
+
let hasCsrfMiddleware = false; // Track CSRF middleware presence
|
|
32
|
+
let hasRateLimiting = false; // Track rate limiting middleware presence
|
|
33
|
+
let hasExpressApp = false; // Track Express app creation
|
|
34
|
+
let hasApiRoute = false; // Track API route definition
|
|
35
|
+
lines.forEach((line, index) => {
|
|
36
|
+
const trimmedLine = line.trim();
|
|
37
|
+
// CRITICAL: Track multi-line comment blocks (/* ... */)
|
|
38
|
+
if (trimmedLine.includes('/*')) {
|
|
39
|
+
inMultiLineComment = true;
|
|
40
|
+
}
|
|
41
|
+
if (trimmedLine.includes('*/')) {
|
|
42
|
+
inMultiLineComment = false;
|
|
43
|
+
return; // Skip the line with */
|
|
44
|
+
}
|
|
45
|
+
// CRITICAL: Skip all lines inside multi-line comments and single-line comments
|
|
46
|
+
if (!trimmedLine ||
|
|
47
|
+
inMultiLineComment ||
|
|
48
|
+
trimmedLine.startsWith('//') ||
|
|
49
|
+
trimmedLine.startsWith('*')) {
|
|
50
|
+
return;
|
|
51
|
+
}
|
|
52
|
+
const lowerLine = trimmedLine.toLowerCase();
|
|
53
|
+
// Track rate limiting middleware
|
|
54
|
+
if (lowerLine.includes('ratelimit') || lowerLine.includes('rate-limit') || lowerLine.includes('express-rate-limit')) {
|
|
55
|
+
hasRateLimiting = true;
|
|
56
|
+
}
|
|
57
|
+
// Track Express app creation
|
|
58
|
+
if (lowerLine.includes('express()') || (lowerLine.includes('const') && lowerLine.includes('app') && lowerLine.includes('express'))) {
|
|
59
|
+
hasExpressApp = true;
|
|
60
|
+
}
|
|
61
|
+
// Track API routes
|
|
62
|
+
if ((lowerLine.includes('app.get') || lowerLine.includes('app.post') || lowerLine.includes('app.put') || lowerLine.includes('app.delete')) &&
|
|
63
|
+
(lowerLine.includes('/api/') || lowerLine.includes("'/api") || lowerLine.includes('"/api'))) {
|
|
64
|
+
hasApiRoute = true;
|
|
65
|
+
}
|
|
66
|
+
// Check #1: Debug mode enabled in production (Express.js, Node.js)
|
|
67
|
+
// Detects: app.set('env', 'development') OR process.env.NODE_ENV = 'development' OR const DEBUG = true
|
|
68
|
+
if ((lowerLine.includes('app.set') && lowerLine.includes('env') &&
|
|
69
|
+
(lowerLine.includes('development') || lowerLine.includes('debug'))) ||
|
|
70
|
+
(lowerLine.includes('process.env.node_env') && lowerLine.includes('=') &&
|
|
71
|
+
(lowerLine.includes("'development'") || lowerLine.includes('"development"'))) ||
|
|
72
|
+
(lowerLine.includes('debug') && lowerLine.includes('=') && lowerLine.includes('true') &&
|
|
73
|
+
(lowerLine.includes('const') || lowerLine.includes('let') || lowerLine.includes('var')))) {
|
|
74
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
75
|
+
category: 'Security Misconfiguration',
|
|
76
|
+
severity: 'MEDIUM',
|
|
77
|
+
confidence: 'HIGH',
|
|
78
|
+
message: 'debug mode may be enabled in production environment',
|
|
79
|
+
line: index + 1,
|
|
80
|
+
suggestion: 'Ensure NODE_ENV is properly set to "production" and debug flags are disabled',
|
|
81
|
+
owasp: 'A02:2025',
|
|
82
|
+
cwe: 'CWE-489',
|
|
83
|
+
pciDss: 'Requirement 6.1',
|
|
84
|
+
remediation: {
|
|
85
|
+
explanation: 'Debug mode exposes sensitive application details that can aid attackers',
|
|
86
|
+
before: 'app.set("env", "development")',
|
|
87
|
+
after: 'app.set("env", process.env.NODE_ENV || "production")'
|
|
88
|
+
},
|
|
89
|
+
attackVector: {
|
|
90
|
+
description: 'Debug mode can expose stack traces, environment variables, and internal application structure',
|
|
91
|
+
realWorldImpact: [
|
|
92
|
+
'Information disclosure through error messages',
|
|
93
|
+
'Exposure of file paths and internal structure',
|
|
94
|
+
'Potential exposure of environment variables',
|
|
95
|
+
'Performance degradation in production'
|
|
96
|
+
]
|
|
97
|
+
}
|
|
98
|
+
}));
|
|
99
|
+
}
|
|
100
|
+
// Check #2: Detailed error messages exposed to users
|
|
101
|
+
// FIX (Dec 30, 2025): Handle method chaining like res.status(500).send(err.stack)
|
|
102
|
+
// Pattern: res.send() or res.status().send() or res.json() with err.stack/err.message
|
|
103
|
+
const hasSendMethod = /\bres\.(?:\w+\([^)]*\)\.)*(?:send|json)\s*\(/i.test(trimmedLine) ||
|
|
104
|
+
/\bresponse\.(?:\w+\([^)]*\)\.)*(?:send|json)\s*\(/i.test(trimmedLine);
|
|
105
|
+
const hasErrorExposure = lowerLine.includes('err.stack') || lowerLine.includes('error.stack') ||
|
|
106
|
+
lowerLine.includes('err.message') || lowerLine.includes('error.message');
|
|
107
|
+
if (hasSendMethod && hasErrorExposure) {
|
|
108
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
109
|
+
category: 'Security Misconfiguration',
|
|
110
|
+
severity: 'HIGH',
|
|
111
|
+
confidence: 'HIGH',
|
|
112
|
+
message: 'Detailed error details exposed to users',
|
|
113
|
+
line: index + 1,
|
|
114
|
+
suggestion: 'Log detailed errors server-side, return generic error messages to users',
|
|
115
|
+
owasp: 'A02:2025',
|
|
116
|
+
cwe: 'CWE-209',
|
|
117
|
+
pciDss: 'Requirement 6.1',
|
|
118
|
+
remediation: {
|
|
119
|
+
explanation: 'Exposing detailed error information can reveal internal application structure and sensitive data',
|
|
120
|
+
before: 'res.status(500).send(err.stack)',
|
|
121
|
+
after: 'logger.error(err); res.status(500).send("Internal server error")'
|
|
122
|
+
},
|
|
123
|
+
attackVector: {
|
|
124
|
+
description: 'Error messages can reveal database schemas, file paths, and application internals',
|
|
125
|
+
realWorldImpact: [
|
|
126
|
+
'Information disclosure about internal systems',
|
|
127
|
+
'Database structure revelation',
|
|
128
|
+
'File path and directory structure exposure',
|
|
129
|
+
'Technology stack fingerprinting'
|
|
130
|
+
]
|
|
131
|
+
}
|
|
132
|
+
}));
|
|
133
|
+
}
|
|
134
|
+
// Check #3: CORS misconfiguration allowing all origins
|
|
135
|
+
if ((lowerLine.includes('cors') &&
|
|
136
|
+
lowerLine.includes('origin') &&
|
|
137
|
+
(lowerLine.includes('"*"') || lowerLine.includes("'*'") || lowerLine.includes('true'))) ||
|
|
138
|
+
(lowerLine.includes('res.header') || lowerLine.includes('response.header')) &&
|
|
139
|
+
lowerLine.includes('access-control-allow-origin') &&
|
|
140
|
+
(lowerLine.includes('"*"') || lowerLine.includes("'*'"))) {
|
|
141
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
142
|
+
category: 'Security Misconfiguration',
|
|
143
|
+
severity: 'HIGH',
|
|
144
|
+
confidence: 'HIGH',
|
|
145
|
+
message: 'CORS configured to allow requests from any origin',
|
|
146
|
+
line: index + 1,
|
|
147
|
+
suggestion: 'Restrict CORS to specific trusted domains',
|
|
148
|
+
owasp: 'A02:2025',
|
|
149
|
+
cwe: 'CWE-346',
|
|
150
|
+
pciDss: 'Requirement 6.1',
|
|
151
|
+
remediation: {
|
|
152
|
+
explanation: 'Allowing all origins bypasses Same-Origin Policy protection',
|
|
153
|
+
before: 'app.use(cors({ origin: "*" }))',
|
|
154
|
+
after: 'app.use(cors({ origin: ["https://trusted-domain.com"] }))'
|
|
155
|
+
},
|
|
156
|
+
attackVector: {
|
|
157
|
+
description: 'Unrestricted CORS allows malicious websites to make authenticated requests',
|
|
158
|
+
realWorldImpact: [
|
|
159
|
+
'Cross-site request forgery (CSRF) attacks',
|
|
160
|
+
'Data exfiltration from user sessions',
|
|
161
|
+
'Unauthorized API access from malicious sites',
|
|
162
|
+
'Session hijacking and credential theft'
|
|
163
|
+
]
|
|
164
|
+
}
|
|
165
|
+
}));
|
|
166
|
+
}
|
|
167
|
+
// Check #4: Missing security headers configuration
|
|
168
|
+
// Skip if it's specifically CSP/HSTS (handled by Phase B checks #10-12)
|
|
169
|
+
if (lowerLine.includes('helmet') && lowerLine.includes('false') &&
|
|
170
|
+
!lowerLine.includes('contentsecuritypolicy') && !lowerLine.includes('hsts')) {
|
|
171
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
172
|
+
category: 'Security Misconfiguration',
|
|
173
|
+
severity: 'MEDIUM',
|
|
174
|
+
confidence: 'HIGH',
|
|
175
|
+
message: 'security header disabled or misconfigured',
|
|
176
|
+
line: index + 1,
|
|
177
|
+
suggestion: 'Enable security headers (HSTS, CSP, X-Frame-Options) using helmet.js',
|
|
178
|
+
owasp: 'A02:2025',
|
|
179
|
+
cwe: 'CWE-16',
|
|
180
|
+
pciDss: 'Requirement 6.1',
|
|
181
|
+
remediation: {
|
|
182
|
+
explanation: 'Missing security headers expose applications to various client-side attacks',
|
|
183
|
+
before: 'app.use(helmet({ frameguard: false }))',
|
|
184
|
+
after: 'app.use(helmet({ frameguard: { action: "sameorigin" } }))'
|
|
185
|
+
},
|
|
186
|
+
attackVector: {
|
|
187
|
+
description: 'Missing security headers enable clickjacking, XSS, and MITM attacks',
|
|
188
|
+
realWorldImpact: [
|
|
189
|
+
'Clickjacking attacks through iframe embedding',
|
|
190
|
+
'Cross-site scripting (XSS) vulnerabilities',
|
|
191
|
+
'Man-in-the-middle attacks without HSTS',
|
|
192
|
+
'Content injection and data theft'
|
|
193
|
+
]
|
|
194
|
+
}
|
|
195
|
+
}));
|
|
196
|
+
}
|
|
197
|
+
// Check #5: Missing rate limiting on API routes
|
|
198
|
+
// Only flag if Express app is explicitly created AND API routes exist
|
|
199
|
+
if (hasExpressApp && hasApiRoute && !hasRateLimiting) {
|
|
200
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
201
|
+
category: 'Security Misconfiguration',
|
|
202
|
+
severity: 'MEDIUM',
|
|
203
|
+
confidence: 'MEDIUM',
|
|
204
|
+
message: 'API routes defined without rate limiting protection',
|
|
205
|
+
line: index + 1,
|
|
206
|
+
suggestion: 'Implement rate limiting middleware (express-rate-limit) to prevent abuse',
|
|
207
|
+
owasp: 'A02:2025',
|
|
208
|
+
cwe: 'CWE-770',
|
|
209
|
+
pciDss: 'Requirement 6.1',
|
|
210
|
+
remediation: {
|
|
211
|
+
explanation: 'Without rate limiting, APIs are vulnerable to brute force attacks, credential stuffing, and denial of service',
|
|
212
|
+
before: 'app.get(\'/api/login\', loginHandler);',
|
|
213
|
+
after: 'const rateLimit = require(\'express-rate-limit\');\nconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });\napp.use(\'/api/\', limiter);'
|
|
214
|
+
},
|
|
215
|
+
attackVector: {
|
|
216
|
+
description: 'Missing rate limiting allows unlimited request attempts',
|
|
217
|
+
realWorldImpact: [
|
|
218
|
+
'Brute force password attacks',
|
|
219
|
+
'Credential stuffing attacks',
|
|
220
|
+
'API abuse and resource exhaustion',
|
|
221
|
+
'Denial of Service (DoS)',
|
|
222
|
+
'Data scraping'
|
|
223
|
+
]
|
|
224
|
+
}
|
|
225
|
+
}));
|
|
226
|
+
// Only report once
|
|
227
|
+
hasApiRoute = false;
|
|
228
|
+
}
|
|
229
|
+
// Check #6: Insecure session configuration
|
|
230
|
+
if (lowerLine.includes('session') &&
|
|
231
|
+
(lowerLine.includes('secure') && lowerLine.includes('false')) ||
|
|
232
|
+
(lowerLine.includes('httponly') && lowerLine.includes('false'))) {
|
|
233
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
234
|
+
category: 'Security Misconfiguration',
|
|
235
|
+
severity: 'MEDIUM',
|
|
236
|
+
confidence: 'HIGH',
|
|
237
|
+
message: 'Insecure session cookie configuration',
|
|
238
|
+
line: index + 1,
|
|
239
|
+
suggestion: 'Enable secure and httpOnly flags for session cookies',
|
|
240
|
+
owasp: 'A02:2025',
|
|
241
|
+
cwe: 'CWE-614',
|
|
242
|
+
pciDss: 'Requirement 6.1',
|
|
243
|
+
remediation: {
|
|
244
|
+
explanation: 'Insecure session cookies can be intercepted or accessed by malicious scripts',
|
|
245
|
+
before: 'app.use(session({ cookie: { secure: false, httpOnly: false } }))',
|
|
246
|
+
after: 'app.use(session({ cookie: { secure: true, httpOnly: true } }))'
|
|
247
|
+
},
|
|
248
|
+
attackVector: {
|
|
249
|
+
description: 'Insecure session cookies enable session hijacking and XSS exploitation',
|
|
250
|
+
realWorldImpact: [
|
|
251
|
+
'Session hijacking over unencrypted connections',
|
|
252
|
+
'JavaScript-based session theft (XSS)',
|
|
253
|
+
'Man-in-the-middle session interception',
|
|
254
|
+
'Account takeover and unauthorized access'
|
|
255
|
+
]
|
|
256
|
+
}
|
|
257
|
+
}));
|
|
258
|
+
}
|
|
259
|
+
// Check #7: Default credentials usage
|
|
260
|
+
if (((lowerLine.includes('username') &&
|
|
261
|
+
(lowerLine.includes('"admin"') || lowerLine.includes("'admin'") ||
|
|
262
|
+
lowerLine.includes('"root"') || lowerLine.includes("'root'"))) ||
|
|
263
|
+
(lowerLine.includes('password') &&
|
|
264
|
+
(lowerLine.includes('"password"') || lowerLine.includes("'password'") ||
|
|
265
|
+
lowerLine.includes('"admin"') || lowerLine.includes("'admin'") ||
|
|
266
|
+
lowerLine.includes('"123456"') || lowerLine.includes("'123456'") ||
|
|
267
|
+
lowerLine.includes('"password123"') || lowerLine.includes("'password123'") ||
|
|
268
|
+
lowerLine.includes('"admin123"') || lowerLine.includes("'admin123'")))) &&
|
|
269
|
+
!lowerLine.includes('process.env')) {
|
|
270
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
271
|
+
category: 'Security Misconfiguration',
|
|
272
|
+
severity: 'CRITICAL',
|
|
273
|
+
confidence: 'HIGH',
|
|
274
|
+
message: 'default admin credentials or weak password detected',
|
|
275
|
+
line: index + 1,
|
|
276
|
+
suggestion: 'Use strong, unique credentials and store securely using environment variables',
|
|
277
|
+
owasp: 'A02:2025',
|
|
278
|
+
cwe: 'CWE-798',
|
|
279
|
+
pciDss: 'Requirement 2.1',
|
|
280
|
+
remediation: {
|
|
281
|
+
explanation: 'Default credentials are well-known and easily exploited by attackers',
|
|
282
|
+
before: 'const auth = { username: "admin", password: "password" }',
|
|
283
|
+
after: 'const auth = { username: process.env.DB_USER, password: process.env.DB_PASS }'
|
|
284
|
+
},
|
|
285
|
+
attackVector: {
|
|
286
|
+
description: 'Default credentials provide immediate unauthorized access to systems',
|
|
287
|
+
realWorldImpact: [
|
|
288
|
+
'Complete system compromise',
|
|
289
|
+
'Unauthorized data access and modification',
|
|
290
|
+
'Privilege escalation opportunities',
|
|
291
|
+
'Lateral movement within network'
|
|
292
|
+
]
|
|
293
|
+
}
|
|
294
|
+
}));
|
|
295
|
+
}
|
|
296
|
+
// Check #8: Administrative interfaces exposed
|
|
297
|
+
if (lowerLine.includes('app.get') || lowerLine.includes('router.get') || lowerLine.includes('app.use')) {
|
|
298
|
+
const urlPattern = trimmedLine.match(/['"`]([^'"`]+)['"`]/);
|
|
299
|
+
if (urlPattern) {
|
|
300
|
+
const url = urlPattern[1].toLowerCase();
|
|
301
|
+
if (url.includes('/admin') || url.includes('/management') ||
|
|
302
|
+
url.includes('/console') || url.includes('/dashboard') ||
|
|
303
|
+
url.includes('/config') || url.includes('/status')) {
|
|
304
|
+
// Check if route has authentication middleware (requireAuth, isAuth, authenticate, etc.)
|
|
305
|
+
const hasAuthMiddleware = trimmedLine.includes('requireAuth') ||
|
|
306
|
+
trimmedLine.includes('isAuth') ||
|
|
307
|
+
trimmedLine.includes('authenticate') ||
|
|
308
|
+
trimmedLine.includes('ensureAuth') ||
|
|
309
|
+
trimmedLine.includes('checkAuth') ||
|
|
310
|
+
trimmedLine.includes('verifyAuth');
|
|
311
|
+
if (!hasAuthMiddleware) {
|
|
312
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
313
|
+
category: 'Security Misconfiguration',
|
|
314
|
+
severity: 'HIGH',
|
|
315
|
+
confidence: 'MEDIUM',
|
|
316
|
+
message: 'admin interface may be exposed without proper protection',
|
|
317
|
+
line: index + 1,
|
|
318
|
+
suggestion: 'Implement authentication and authorization for administrative endpoints',
|
|
319
|
+
owasp: 'A02:2025',
|
|
320
|
+
cwe: 'CWE-200',
|
|
321
|
+
pciDss: 'Requirement 7.1',
|
|
322
|
+
remediation: {
|
|
323
|
+
explanation: 'Exposed administrative interfaces provide attack entry points',
|
|
324
|
+
before: 'app.get("/admin", (req, res) => { ... })',
|
|
325
|
+
after: 'app.get("/admin", authenticateAdmin, authorizeAdmin, (req, res) => { ... })'
|
|
326
|
+
},
|
|
327
|
+
attackVector: {
|
|
328
|
+
description: 'Unprotected admin interfaces allow unauthorized system control',
|
|
329
|
+
realWorldImpact: [
|
|
330
|
+
'Unauthorized administrative access',
|
|
331
|
+
'System configuration changes',
|
|
332
|
+
'User account manipulation',
|
|
333
|
+
'Complete application compromise'
|
|
334
|
+
]
|
|
335
|
+
}
|
|
336
|
+
}));
|
|
337
|
+
}
|
|
338
|
+
}
|
|
339
|
+
}
|
|
340
|
+
}
|
|
341
|
+
// Check #9: Unnecessary HTTP methods enabled globally
|
|
342
|
+
if (lowerLine.includes('app.use') &&
|
|
343
|
+
(lowerLine.includes('methodoverride') || lowerLine.includes('method-override'))) {
|
|
344
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
345
|
+
category: 'Security Misconfiguration',
|
|
346
|
+
severity: 'MEDIUM',
|
|
347
|
+
confidence: 'MEDIUM',
|
|
348
|
+
message: 'HTTP method override enabled - may expose unnecessary HTTP methods',
|
|
349
|
+
line: index + 1,
|
|
350
|
+
suggestion: 'Disable method override or restrict to specific routes if not needed',
|
|
351
|
+
owasp: 'A02:2025',
|
|
352
|
+
cwe: 'CWE-16',
|
|
353
|
+
pciDss: 'Requirement 6.1',
|
|
354
|
+
remediation: {
|
|
355
|
+
explanation: 'Method override can enable unintended HTTP methods that bypass security controls',
|
|
356
|
+
before: 'app.use(methodOverride())',
|
|
357
|
+
after: 'app.use(methodOverride({ methods: ["POST"] })) // or remove if not needed'
|
|
358
|
+
},
|
|
359
|
+
attackVector: {
|
|
360
|
+
description: 'Additional HTTP methods can bypass security controls and access restrictions',
|
|
361
|
+
realWorldImpact: [
|
|
362
|
+
'Bypass of access control mechanisms',
|
|
363
|
+
'Unintended data modification via PUT/DELETE',
|
|
364
|
+
'Web application firewall evasion',
|
|
365
|
+
'Cross-site request forgery opportunities'
|
|
366
|
+
]
|
|
367
|
+
}
|
|
368
|
+
}));
|
|
369
|
+
}
|
|
370
|
+
// Check #9: HTTP TRACE method enabled (NEW - OWASP 2025 Test)
|
|
371
|
+
if (lowerLine.match(/app\.(trace|connect|options)\s*\(/)) {
|
|
372
|
+
const method = trimmedLine.match(/app\.(\w+)\s*\(/)?.[1]?.toUpperCase() || 'UNKNOWN';
|
|
373
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
374
|
+
category: 'Security Misconfiguration',
|
|
375
|
+
severity: 'MEDIUM',
|
|
376
|
+
confidence: 'HIGH',
|
|
377
|
+
message: `unsafe HTTP method ${method} enabled - should be disabled in production`,
|
|
378
|
+
line: index + 1,
|
|
379
|
+
suggestion: `Disable ${method} method or restrict to development environment only`,
|
|
380
|
+
owasp: 'A05:2021',
|
|
381
|
+
cwe: 'CWE-16',
|
|
382
|
+
pciDss: 'Requirement 6.1',
|
|
383
|
+
remediation: {
|
|
384
|
+
explanation: `${method} method can expose sensitive information and enable cross-site tracing (XST) attacks`,
|
|
385
|
+
before: `app.${method.toLowerCase()}('/api/debug', (req, res) => { ... })`,
|
|
386
|
+
after: `// Remove ${method} endpoints in production or use environment check:\nif (process.env.NODE_ENV !== 'production') {\n app.${method.toLowerCase()}('/api/debug', ...);\n}`
|
|
387
|
+
},
|
|
388
|
+
attackVector: {
|
|
389
|
+
description: `${method} method can be exploited for reconnaissance and cross-site attacks`,
|
|
390
|
+
realWorldImpact: [
|
|
391
|
+
'Information disclosure (TRACE echoes request headers)',
|
|
392
|
+
'Cross-site tracing (XST) attacks',
|
|
393
|
+
'Session hijacking via stolen cookies',
|
|
394
|
+
'Bypassing HTTPOnly cookie protection'
|
|
395
|
+
]
|
|
396
|
+
}
|
|
397
|
+
}));
|
|
398
|
+
}
|
|
399
|
+
// =============================================================================
|
|
400
|
+
// PHASE B - Enhanced Helmet Configuration Detection (Dec 21, 2025)
|
|
401
|
+
// =============================================================================
|
|
402
|
+
// Check #10: Enhanced Helmet Configuration - Disabled CSP
|
|
403
|
+
// Check multiline for helmet config
|
|
404
|
+
const checkDisabledCSP = () => {
|
|
405
|
+
if (trimmedLine.includes('helmet(')) {
|
|
406
|
+
// Check current line first
|
|
407
|
+
if (trimmedLine.includes('contentSecurityPolicy') && trimmedLine.includes('false')) {
|
|
408
|
+
return true;
|
|
409
|
+
}
|
|
410
|
+
// Check next few lines for multiline config
|
|
411
|
+
const lookAhead = 10;
|
|
412
|
+
for (let i = index + 1; i < Math.min(index + lookAhead, lines.length); i++) {
|
|
413
|
+
const checkLine = lines[i].trim();
|
|
414
|
+
if (checkLine.includes('contentSecurityPolicy') && checkLine.includes('false')) {
|
|
415
|
+
return true;
|
|
416
|
+
}
|
|
417
|
+
// Stop if we hit closing bracket
|
|
418
|
+
if (checkLine.includes('});') || checkLine.includes('));')) {
|
|
419
|
+
break;
|
|
420
|
+
}
|
|
421
|
+
}
|
|
422
|
+
}
|
|
423
|
+
return false;
|
|
424
|
+
};
|
|
425
|
+
if (checkDisabledCSP()) {
|
|
426
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
427
|
+
category: 'Security Misconfiguration',
|
|
428
|
+
severity: 'MEDIUM',
|
|
429
|
+
confidence: 'HIGH',
|
|
430
|
+
message: 'security header CSP (Content Security Policy) disabled - leaves app vulnerable to XSS',
|
|
431
|
+
line: index + 1,
|
|
432
|
+
suggestion: 'Enable CSP with strict directives',
|
|
433
|
+
owasp: 'A02:2025',
|
|
434
|
+
cwe: 'CWE-693',
|
|
435
|
+
pciDss: 'Requirement 6.1',
|
|
436
|
+
remediation: {
|
|
437
|
+
explanation: 'Content Security Policy is one of the most important security headers. Disabling it removes a critical defense against XSS attacks, allowing attackers to inject malicious scripts.',
|
|
438
|
+
before: 'app.use(helmet({ contentSecurityPolicy: false }));',
|
|
439
|
+
after: 'app.use(helmet({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: ["\'self\'"],\n scriptSrc: ["\'self\'"],\n styleSrc: ["\'self\'"]\n }\n }\n}));'
|
|
440
|
+
},
|
|
441
|
+
attackVector: {
|
|
442
|
+
description: 'Without CSP, XSS attacks can execute malicious scripts freely',
|
|
443
|
+
realWorldImpact: [
|
|
444
|
+
'Cross-Site Scripting (XSS) attacks',
|
|
445
|
+
'Data theft via malicious scripts',
|
|
446
|
+
'Session hijacking',
|
|
447
|
+
'Phishing attacks',
|
|
448
|
+
'Malware distribution'
|
|
449
|
+
]
|
|
450
|
+
}
|
|
451
|
+
}));
|
|
452
|
+
}
|
|
453
|
+
// Check #11: Enhanced Helmet Configuration - Disabled HSTS
|
|
454
|
+
const checkDisabledHSTS = () => {
|
|
455
|
+
if (trimmedLine.includes('helmet(')) {
|
|
456
|
+
// Check current line first
|
|
457
|
+
if (trimmedLine.includes('hsts') && trimmedLine.includes('false')) {
|
|
458
|
+
return true;
|
|
459
|
+
}
|
|
460
|
+
// Check next few lines for multiline config
|
|
461
|
+
const lookAhead = 10;
|
|
462
|
+
for (let i = index + 1; i < Math.min(index + lookAhead, lines.length); i++) {
|
|
463
|
+
const checkLine = lines[i].trim();
|
|
464
|
+
if (checkLine.includes('hsts') && checkLine.includes('false')) {
|
|
465
|
+
return true;
|
|
466
|
+
}
|
|
467
|
+
// Stop if we hit closing bracket
|
|
468
|
+
if (checkLine.includes('});') || checkLine.includes('));')) {
|
|
469
|
+
break;
|
|
470
|
+
}
|
|
471
|
+
}
|
|
472
|
+
}
|
|
473
|
+
return false;
|
|
474
|
+
};
|
|
475
|
+
if (checkDisabledHSTS()) {
|
|
476
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
477
|
+
category: 'Security Misconfiguration',
|
|
478
|
+
severity: 'HIGH',
|
|
479
|
+
confidence: 'HIGH',
|
|
480
|
+
message: 'Helmet HSTS (Strict-Transport-Security) disabled - allows downgrade attacks',
|
|
481
|
+
line: index + 1,
|
|
482
|
+
suggestion: 'Enable HSTS with maxAge >= 31536000 (1 year)',
|
|
483
|
+
owasp: 'A02:2025',
|
|
484
|
+
cwe: 'CWE-693',
|
|
485
|
+
pciDss: 'Requirement 6.1',
|
|
486
|
+
remediation: {
|
|
487
|
+
explanation: 'HTTP Strict Transport Security forces browsers to use HTTPS. Disabling it allows man-in-the-middle attacks to downgrade connections to unencrypted HTTP.',
|
|
488
|
+
before: 'app.use(helmet({ hsts: false }));',
|
|
489
|
+
after: 'app.use(helmet({\n hsts: {\n maxAge: 31536000,\n includeSubDomains: true,\n preload: true\n }\n}));'
|
|
490
|
+
},
|
|
491
|
+
attackVector: {
|
|
492
|
+
description: 'Without HSTS, MITM attackers can downgrade HTTPS to HTTP',
|
|
493
|
+
realWorldImpact: [
|
|
494
|
+
'Man-in-the-middle attacks',
|
|
495
|
+
'SSL stripping attacks',
|
|
496
|
+
'Session hijacking',
|
|
497
|
+
'Credential theft',
|
|
498
|
+
'Traffic eavesdropping'
|
|
499
|
+
]
|
|
500
|
+
}
|
|
501
|
+
}));
|
|
502
|
+
}
|
|
503
|
+
// Check #12: Enhanced Helmet Configuration - Unsafe CSP directives
|
|
504
|
+
// Check multiple lines ahead for multiline helmet config
|
|
505
|
+
const checkUnsafeDirectives = () => {
|
|
506
|
+
const lookAhead = 10;
|
|
507
|
+
let hasUnsafeDirective = false;
|
|
508
|
+
// Check if helmet( is on current line or nearby
|
|
509
|
+
if (trimmedLine.includes('helmet(')) {
|
|
510
|
+
// Look ahead for unsafe directives in multiline config
|
|
511
|
+
for (let i = index; i < Math.min(index + lookAhead, lines.length); i++) {
|
|
512
|
+
const checkLine = lines[i].trim();
|
|
513
|
+
if (checkLine.includes('unsafe-inline') ||
|
|
514
|
+
checkLine.includes('unsafe-eval') ||
|
|
515
|
+
(checkLine.includes('defaultSrc') && checkLine.includes('[') && checkLine.includes('*'))) {
|
|
516
|
+
hasUnsafeDirective = true;
|
|
517
|
+
break;
|
|
518
|
+
}
|
|
519
|
+
}
|
|
520
|
+
}
|
|
521
|
+
return hasUnsafeDirective;
|
|
522
|
+
};
|
|
523
|
+
if (checkUnsafeDirectives()) {
|
|
524
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
525
|
+
category: 'Security Misconfiguration',
|
|
526
|
+
severity: 'HIGH',
|
|
527
|
+
confidence: 'HIGH',
|
|
528
|
+
message: 'Helmet CSP with unsafe directives (unsafe-inline, unsafe-eval, or *)',
|
|
529
|
+
line: index + 1,
|
|
530
|
+
suggestion: 'Remove unsafe-inline, unsafe-eval, and * from CSP directives',
|
|
531
|
+
owasp: 'A02:2025',
|
|
532
|
+
cwe: 'CWE-693',
|
|
533
|
+
pciDss: 'Requirement 6.1',
|
|
534
|
+
remediation: {
|
|
535
|
+
explanation: 'Using unsafe-inline, unsafe-eval, or wildcard (*) in Content Security Policy defeats its purpose by allowing execution of inline scripts and eval(), which are primary XSS attack vectors.',
|
|
536
|
+
before: 'app.use(helmet({\n contentSecurityPolicy: {\n directives: { scriptSrc: ["\'unsafe-inline\'", "*"] }\n }\n}));',
|
|
537
|
+
after: 'app.use(helmet({\n contentSecurityPolicy: {\n directives: {\n defaultSrc: ["\'self\'"],\n scriptSrc: ["\'self\'"],\n styleSrc: ["\'self\'"]\n }\n }\n}));'
|
|
538
|
+
},
|
|
539
|
+
attackVector: {
|
|
540
|
+
description: 'Unsafe CSP directives allow XSS attacks despite having CSP enabled',
|
|
541
|
+
realWorldImpact: [
|
|
542
|
+
'XSS attacks despite CSP being enabled',
|
|
543
|
+
'Inline script execution',
|
|
544
|
+
'eval() code execution',
|
|
545
|
+
'Loading scripts from any origin (*)'
|
|
546
|
+
]
|
|
547
|
+
}
|
|
548
|
+
}));
|
|
549
|
+
}
|
|
550
|
+
// =============================================================================
|
|
551
|
+
// PHASE B - CSRF Protection Detection (Dec 21, 2025)
|
|
552
|
+
// =============================================================================
|
|
553
|
+
// Track CSRF middleware usage
|
|
554
|
+
if (trimmedLine.includes('csurf') || trimmedLine.includes('csrf')) {
|
|
555
|
+
hasCsrfMiddleware = true;
|
|
556
|
+
}
|
|
557
|
+
// Check #13: Missing CSRF Protection on state-changing routes
|
|
558
|
+
const stateChangingRoute = trimmedLine.match(/\.(post|put|delete|patch)\s*\(/);
|
|
559
|
+
if (stateChangingRoute && !hasCsrfMiddleware) {
|
|
560
|
+
const method = stateChangingRoute[1].toUpperCase();
|
|
561
|
+
// Check if route handles sensitive operations
|
|
562
|
+
const isSensitiveRoute = trimmedLine.includes('/login') ||
|
|
563
|
+
trimmedLine.includes('/signup') ||
|
|
564
|
+
trimmedLine.includes('/register') ||
|
|
565
|
+
trimmedLine.includes('/transfer') ||
|
|
566
|
+
trimmedLine.includes('/payment') ||
|
|
567
|
+
trimmedLine.includes('/delete') ||
|
|
568
|
+
trimmedLine.includes('/update') ||
|
|
569
|
+
trimmedLine.includes('/create');
|
|
570
|
+
if (isSensitiveRoute) {
|
|
571
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
572
|
+
category: 'Security Misconfiguration',
|
|
573
|
+
severity: 'HIGH',
|
|
574
|
+
confidence: 'HIGH',
|
|
575
|
+
message: `Missing CSRF protection on ${method} route - vulnerable to cross-site request forgery`,
|
|
576
|
+
line: index + 1,
|
|
577
|
+
suggestion: 'Add CSRF middleware (csurf) to protect state-changing routes',
|
|
578
|
+
owasp: 'A01:2021',
|
|
579
|
+
cwe: 'CWE-352',
|
|
580
|
+
pciDss: 'Requirement 6.5.9',
|
|
581
|
+
remediation: {
|
|
582
|
+
explanation: 'Cross-Site Request Forgery (CSRF) allows attackers to trick authenticated users into executing unwanted actions. Without CSRF tokens, an attacker can forge requests using the victim\'s session cookies.',
|
|
583
|
+
before: `app.${stateChangingRoute[1]}('/transfer', (req, res) => { ... });`,
|
|
584
|
+
after: `import csrf from 'csurf';\nconst csrfProtection = csrf({ cookie: true });\napp.use(csrfProtection);\napp.${stateChangingRoute[1]}('/transfer', csrfProtection, (req, res) => { ... });`
|
|
585
|
+
},
|
|
586
|
+
attackVector: {
|
|
587
|
+
description: 'CSRF allows attackers to perform actions on behalf of authenticated users',
|
|
588
|
+
realWorldImpact: [
|
|
589
|
+
'Unauthorized state changes (money transfer, password change)',
|
|
590
|
+
'Account takeover via forced actions',
|
|
591
|
+
'Data manipulation and deletion',
|
|
592
|
+
'Privilege escalation attacks'
|
|
593
|
+
]
|
|
594
|
+
}
|
|
595
|
+
}));
|
|
596
|
+
}
|
|
597
|
+
}
|
|
598
|
+
// Check #14: Session cookie without SameSite attribute
|
|
599
|
+
if ((trimmedLine.includes('session(') || trimmedLine.includes('cookie(')) &&
|
|
600
|
+
trimmedLine.includes('{')) {
|
|
601
|
+
// Check if sameSite is present in current line or nearby lines (multiline config)
|
|
602
|
+
let hasSameSite = false;
|
|
603
|
+
const lookAhead = 10;
|
|
604
|
+
for (let i = index; i < Math.min(index + lookAhead, lines.length); i++) {
|
|
605
|
+
if (lines[i].includes('sameSite')) {
|
|
606
|
+
hasSameSite = true;
|
|
607
|
+
break;
|
|
608
|
+
}
|
|
609
|
+
// Stop looking if we hit a closing bracket/parenthesis
|
|
610
|
+
if (lines[i].includes('});') || lines[i].includes('));')) {
|
|
611
|
+
break;
|
|
612
|
+
}
|
|
613
|
+
}
|
|
614
|
+
if (!hasSameSite) {
|
|
615
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
616
|
+
category: 'Security Misconfiguration',
|
|
617
|
+
severity: 'HIGH',
|
|
618
|
+
confidence: 'HIGH',
|
|
619
|
+
message: 'Session cookie without SameSite attribute - vulnerable to CSRF',
|
|
620
|
+
line: index + 1,
|
|
621
|
+
suggestion: 'Set SameSite attribute to \'Strict\' or \'Lax\' for session cookies',
|
|
622
|
+
owasp: 'A01:2021',
|
|
623
|
+
cwe: 'CWE-352',
|
|
624
|
+
pciDss: 'Requirement 6.5.9',
|
|
625
|
+
remediation: {
|
|
626
|
+
explanation: 'Without the SameSite cookie attribute, browsers send cookies with cross-origin requests, enabling CSRF attacks. The SameSite attribute prevents browsers from sending cookies with cross-site requests.',
|
|
627
|
+
before: 'app.use(session({ secret: \'key\', cookie: { httpOnly: true } }));',
|
|
628
|
+
after: 'app.use(session({ secret: \'key\', cookie: { httpOnly: true, sameSite: \'Strict\', secure: true } }));'
|
|
629
|
+
},
|
|
630
|
+
attackVector: {
|
|
631
|
+
description: 'Missing SameSite attribute allows CSRF attacks via cross-origin requests',
|
|
632
|
+
realWorldImpact: [
|
|
633
|
+
'Cross-Site Request Forgery (CSRF) attacks',
|
|
634
|
+
'Session hijacking via cross-origin requests',
|
|
635
|
+
'Unauthorized actions on behalf of authenticated users'
|
|
636
|
+
]
|
|
637
|
+
}
|
|
638
|
+
}));
|
|
639
|
+
}
|
|
640
|
+
}
|
|
641
|
+
// =============================================================================
|
|
642
|
+
// PHASE 1 ENHANCEMENTS (Dec 30, 2025) - A05 Coverage Improvements
|
|
643
|
+
// =============================================================================
|
|
644
|
+
// Check #15: Error middleware with error exposure (NEW)
|
|
645
|
+
// Pattern: app.use((err, req, res, next) => { res.send(err.stack) })
|
|
646
|
+
// This is the EXACT user test case that failed
|
|
647
|
+
const errorMiddlewarePattern = /\(\s*(err|error)\s*,\s*req\s*,\s*res\s*,\s*next\s*\)/i;
|
|
648
|
+
if (trimmedLine.match(errorMiddlewarePattern)) {
|
|
649
|
+
// Check next 10 lines for error exposure
|
|
650
|
+
const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
|
|
651
|
+
const hasErrorExposureInHandler = nextLines.some(l => {
|
|
652
|
+
const lowerNextLine = l.toLowerCase();
|
|
653
|
+
return ((lowerNextLine.includes('res.send') || lowerNextLine.includes('res.json')) &&
|
|
654
|
+
(lowerNextLine.includes('err.stack') || lowerNextLine.includes('error.stack') ||
|
|
655
|
+
lowerNextLine.includes('err.message') || lowerNextLine.includes('error.message') ||
|
|
656
|
+
lowerNextLine.includes('err)') || lowerNextLine.includes('error)')));
|
|
657
|
+
});
|
|
658
|
+
if (hasErrorExposureInHandler) {
|
|
659
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
660
|
+
category: 'Security Misconfiguration',
|
|
661
|
+
severity: 'CRITICAL',
|
|
662
|
+
confidence: 'HIGH',
|
|
663
|
+
message: 'Error middleware exposes sensitive error details to clients',
|
|
664
|
+
line: index + 1,
|
|
665
|
+
suggestion: 'Return generic error messages to clients, log detailed errors server-side only',
|
|
666
|
+
owasp: 'A05:2021',
|
|
667
|
+
cwe: 'CWE-209',
|
|
668
|
+
pciDss: 'Requirement 6.5.5',
|
|
669
|
+
remediation: {
|
|
670
|
+
explanation: 'Error handling middleware that sends detailed error information (stack traces, error messages) to clients reveals internal application structure, file paths, and sensitive debugging information that attackers can exploit.',
|
|
671
|
+
before: 'app.use((err, req, res, next) => {\n res.status(500).send(err.stack);\n});',
|
|
672
|
+
after: 'app.use((err, req, res, next) => {\n logger.error("Error:", err); // Log server-side\n res.status(500).send("Internal server error"); // Generic message to client\n});'
|
|
673
|
+
},
|
|
674
|
+
attackVector: {
|
|
675
|
+
description: 'Error middleware exposing stack traces reveals file paths, function names, and internal logic',
|
|
676
|
+
realWorldImpact: [
|
|
677
|
+
'File path and directory structure exposure',
|
|
678
|
+
'Function names and call stack revelation',
|
|
679
|
+
'Database query exposure via error messages',
|
|
680
|
+
'Third-party library versions disclosed',
|
|
681
|
+
'Sensitive configuration details leaked',
|
|
682
|
+
'Enables targeted attacks based on internal knowledge'
|
|
683
|
+
]
|
|
684
|
+
}
|
|
685
|
+
}));
|
|
686
|
+
}
|
|
687
|
+
}
|
|
688
|
+
// Check #16: Debug/status endpoints exposing sensitive information (NEW)
|
|
689
|
+
// Pattern: app.get('/debug') or app.get('/status') returning process.env, config, etc.
|
|
690
|
+
const debugEndpointPattern = /\.(get|use|all)\s*\(\s*['"`]\/(?:debug|status|health|info|config|env)/i;
|
|
691
|
+
if (trimmedLine.match(debugEndpointPattern)) {
|
|
692
|
+
// Check next 10 lines for sensitive data exposure
|
|
693
|
+
const nextLines = lines.slice(index, Math.min(index + 10, lines.length));
|
|
694
|
+
const exposesSensitiveData = nextLines.some(l => {
|
|
695
|
+
const lowerNextLine = l.toLowerCase();
|
|
696
|
+
return (lowerNextLine.includes('process.env') ||
|
|
697
|
+
lowerNextLine.includes('config') ||
|
|
698
|
+
lowerNextLine.includes('credentials') ||
|
|
699
|
+
lowerNextLine.includes('secret') ||
|
|
700
|
+
lowerNextLine.includes('password') ||
|
|
701
|
+
lowerNextLine.includes('apikey') ||
|
|
702
|
+
lowerNextLine.includes('api_key'));
|
|
703
|
+
});
|
|
704
|
+
if (exposesSensitiveData) {
|
|
705
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
706
|
+
category: 'Security Misconfiguration',
|
|
707
|
+
severity: 'CRITICAL',
|
|
708
|
+
confidence: 'HIGH',
|
|
709
|
+
message: 'Debug/status endpoint exposes sensitive configuration or environment variables',
|
|
710
|
+
line: index + 1,
|
|
711
|
+
suggestion: 'Remove debug endpoints from production or protect with strong authentication',
|
|
712
|
+
owasp: 'A05:2021',
|
|
713
|
+
cwe: 'CWE-215',
|
|
714
|
+
pciDss: 'Requirement 6.5.5',
|
|
715
|
+
remediation: {
|
|
716
|
+
explanation: 'Debug and status endpoints that expose environment variables, configuration, or credentials provide attackers with sensitive information needed to compromise the system.',
|
|
717
|
+
before: 'app.get("/debug", (req, res) => {\n res.json({ env: process.env, config });\n});',
|
|
718
|
+
after: '// Remove debug endpoints from production\nif (process.env.NODE_ENV !== "production") {\n app.get("/debug", authenticate, (req, res) => {\n res.json({ version: pkg.version }); // Only non-sensitive info\n });\n}'
|
|
719
|
+
},
|
|
720
|
+
attackVector: {
|
|
721
|
+
description: 'Debug endpoints reveal sensitive configuration enabling credential theft and system access',
|
|
722
|
+
realWorldImpact: [
|
|
723
|
+
'API keys and secrets exposure',
|
|
724
|
+
'Database credentials disclosure',
|
|
725
|
+
'Internal service URLs revealed',
|
|
726
|
+
'Authentication tokens leaked',
|
|
727
|
+
'Environment configuration exposed',
|
|
728
|
+
'Complete system compromise possible'
|
|
729
|
+
]
|
|
730
|
+
}
|
|
731
|
+
}));
|
|
732
|
+
}
|
|
733
|
+
}
|
|
734
|
+
// Check #17: Production code with verbose error details (NEW)
|
|
735
|
+
// Pattern: Detailed error responses in production code
|
|
736
|
+
if ((lowerLine.includes('res.status(500)') || lowerLine.includes('res.status(400)') ||
|
|
737
|
+
lowerLine.includes('res.status(401)') || lowerLine.includes('res.status(403)')) &&
|
|
738
|
+
(trimmedLine.includes('err') || trimmedLine.includes('error')) &&
|
|
739
|
+
!trimmedLine.includes('logger') &&
|
|
740
|
+
!trimmedLine.includes('log(')) {
|
|
741
|
+
// Check if it's exposing error details
|
|
742
|
+
const exposesErrorDetails = trimmedLine.match(/\.send\s*\(\s*(err|error)(?:\.|\))/i) ||
|
|
743
|
+
trimmedLine.match(/\.json\s*\(\s*\{\s*error\s*:\s*(err|error)/i);
|
|
744
|
+
if (exposesErrorDetails) {
|
|
745
|
+
vulnerabilities.push((0, createVulnerability_1.createJavaScriptSecurityVulnerability)({
|
|
746
|
+
category: 'Security Misconfiguration',
|
|
747
|
+
severity: 'MEDIUM',
|
|
748
|
+
confidence: 'MEDIUM',
|
|
749
|
+
message: 'Error response may expose internal error details without logging',
|
|
750
|
+
line: index + 1,
|
|
751
|
+
suggestion: 'Log errors server-side and return generic messages to clients',
|
|
752
|
+
owasp: 'A05:2021',
|
|
753
|
+
cwe: 'CWE-209',
|
|
754
|
+
pciDss: 'Requirement 6.5.5',
|
|
755
|
+
remediation: {
|
|
756
|
+
explanation: 'Returning raw error objects or messages directly to clients can leak sensitive information.',
|
|
757
|
+
before: 'res.status(500).json({ error: err });',
|
|
758
|
+
after: 'logger.error(err);\nres.status(500).json({ error: "Internal server error" });'
|
|
759
|
+
},
|
|
760
|
+
attackVector: {
|
|
761
|
+
description: 'Detailed error responses enable information gathering and targeted attacks',
|
|
762
|
+
realWorldImpact: [
|
|
763
|
+
'Internal logic exposure',
|
|
764
|
+
'Stack trace leakage',
|
|
765
|
+
'Dependency version disclosure',
|
|
766
|
+
'Database schema hints'
|
|
767
|
+
]
|
|
768
|
+
}
|
|
769
|
+
}));
|
|
770
|
+
}
|
|
771
|
+
}
|
|
772
|
+
});
|
|
773
|
+
return vulnerabilities;
|
|
774
|
+
}
|
|
775
|
+
//# sourceMappingURL=security-misconfiguration.js.map
|