codeslick-cli 1.0.0

package/dist/src/lib/analyzers/python/security-checks/exception-handling.js

@@ -0,0 +1,120 @@
+"use strict";
+/**
+ * Python Exception Handling Security Checks
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
+ *
+ * Detects improper exception handling that can lead to security vulnerabilities.
+ * This is a completely NEW category in OWASP 2025.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkExceptionHandling = checkExceptionHandling;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for exception handling security vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: Bare except clauses (HIGH)
+ * - Check #2: Exception details exposed in responses (HIGH)
+ * - Check #3: Silent exception suppression (MEDIUM)
+ * - Check #4: Resource cleanup missing in exceptions (MEDIUM)
+ * - Check #5: Incorrect exception handling patterns (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkExceptionHandling(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const trimmedLine = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmedLine.includes('"""') || trimmedLine.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                // Start of multi-line comment
+                inMultiLineComment = true;
+                // Check if it closes on the same line (single-line docstring)
+                const tripleQuoteCount = (trimmedLine.match(/"""/g) || []).length + (trimmedLine.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    // Opens and closes on same line, reset flag
+                    inMultiLineComment = false;
+                }
+                return; // Skip this line
+            }
+            else {
+                // End of multi-line comment
+                inMultiLineComment = false;
+                return; // Skip this line
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmedLine ||
+            inMultiLineComment ||
+            trimmedLine.startsWith('#')) {
+            return;
+        }
+        const lowerLine = trimmedLine.toLowerCase();
+        // Check #1: Bare except clauses
+        if (lowerLine.includes('except:') || lowerLine === 'except') {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('bare-except-clause', 'Bare except clause catches all exceptions including system exits', 'Catch specific exception types instead of using bare except', index + 1, 'Bare except clauses can mask security-critical exceptions and prevent proper error handling', 'try:\n    risky_operation()\nexcept:\n    pass  # catches SystemExit, KeyboardInterrupt, etc.', [
+                'Security exceptions masked and ignored',
+                'System exit and keyboard interrupt prevention',
+                'Debugging difficulties from hidden errors',
+                'Potential for silent security failures'
+            ], 'except:', 'except ValueError as e:', 'Bare except clauses catch all exceptions including system-level ones that should not be suppressed'));
+        }
+        // Check #2: Exception details exposed in HTTP responses
+        if ((lowerLine.includes('return') || lowerLine.includes('response') ||
+            lowerLine.includes('jsonify') || lowerLine.includes('render_template')) &&
+            (lowerLine.includes('str(e)') || lowerLine.includes('str(ex)') ||
+                lowerLine.includes('exception') || lowerLine.includes('traceback'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('exception-details-exposed', 'Exception details may be exposed in HTTP responses', 'Log detailed errors server-side, return generic messages to clients', index + 1, 'Exposing exception details reveals sensitive internal application information', 'return jsonify({"error": str(e)}) # exposes full exception details to client', [
+                'Internal application structure exposure',
+                'File paths and system information disclosure',
+                'Database schema and connection details revelation',
+                'Third-party service configuration exposure'
+            ], 'return str(exception)', 'logger.error("Operation failed", exc_info=True); return "Internal server error"', 'Exception details contain sensitive debugging information that should not be exposed to clients'));
+        }
+        // Check #3: Silent exception suppression with pass
+        if (lowerLine.includes('except') &&
+            lines.slice(index + 1, Math.min(index + 3, lines.length)).some(nextLine => nextLine.trim().toLowerCase() === 'pass')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('silent-exception-suppression', 'Exception caught and silently ignored with pass statement', 'Add proper error handling, logging, or re-raise the exception', index + 1, 'Silent exception suppression can hide security vulnerabilities and cause unpredictable behavior', 'except Exception:\n    pass  # security errors completely ignored', [
+                'Security vulnerabilities hidden from detection',
+                'Authentication and authorization bypasses',
+                'Data integrity issues from ignored validation errors',
+                'Audit trail gaps from suppressed security events'
+            ], 'except Exception:\n    pass', 'except Exception as e:\n    logger.warning("Operation failed, using fallback", exc_info=True)\n    return fallback_value', 'Silent exception suppression prevents visibility into potentially security-critical failures'));
+        }
+        // Check #4: Resource cleanup missing in exception scenarios
+        if ((lowerLine.includes('open(') || lowerLine.includes('connect(') ||
+            lowerLine.includes('socket(') || lowerLine.includes('urlopen(')) &&
+            !lines.slice(index, Math.min(index + 10, lines.length)).some(nextLine => nextLine.toLowerCase().includes('finally:') ||
+                nextLine.toLowerCase().includes('with ') ||
+                nextLine.toLowerCase().includes('.close()'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('missing-resource-cleanup', 'Resource may not be properly cleaned up in exception scenarios', 'Use with statements or try-finally blocks to ensure resource cleanup', index + 1, 'Improper resource cleanup during exceptions can lead to resource leaks and denial of service', 'file = open("sensitive.txt"); data = file.read() # no finally or with statement', [
+                'Memory leaks from unclosed file handles',
+                'Connection pool exhaustion',
+                'Database connection leaks',
+                'Denial of service from resource exhaustion'
+            ], 'file = open("data.txt")', 'with open("data.txt") as file:\n    # operations here', 'Resources opened without guaranteed cleanup can cause leaks when exceptions occur'));
+        }
+        // Check #5: Incorrect exception handling patterns
+        if (lowerLine.includes('except') && lowerLine.includes(':')) {
+            // Check if continue or break appears in the next few lines (exception handler body)
+            const hasContinueOrBreak = lines.slice(index + 1, Math.min(index + 4, lines.length)).some(nextLine => {
+                const nextTrimmed = nextLine.trim().toLowerCase();
+                return nextTrimmed.startsWith('continue') || nextTrimmed.startsWith('break');
+            });
+            if (hasContinueOrBreak) {
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('incorrect-exception-pattern', 'Exception handling with continue/break may mask important errors', 'Handle exceptions appropriately instead of using flow control statements', index + 1, 'Using continue/break in exception handlers can mask security-critical errors', 'for item in items:\n    try:\n        process(item)\n    except SecurityError:\n        continue  # security error ignored', [
+                    'Security exceptions bypassed in loops',
+                    'Incomplete processing of security-sensitive data',
+                    'Error accumulation leading to system instability',
+                    'Missing security validations in batch operations'
+                ], 'except Exception:\n    continue', 'except Exception as e:\n    logger.error("Item processing failed", exc_info=True)\n    # decide appropriate action based on error type', 'Flow control in exception handlers can hide important security errors that require attention'));
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=exception-handling.js.map

package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"exception-handling.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/exception-handling.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,wDA+KC;AA9LD,sEAAiF;AAEjF;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CACpC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,kFAAkF;QAClF,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC7G,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,gCAAgC;QAChC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;YAC5D,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,oBAAoB,EACpB,kEAAkE,EAClE,6DAA6D,EAC7D,KAAK,GAAG,CAAC,EACT,6FAA6F,EAC7F,+FAA+F,EAC/F;gBACE,wCAAwC;gBACxC,+CAA+C;gBAC/C,2CAA2C;gBAC3C,wCAAwC;aACzC,EACD,SAAS,EACT,yBAAyB,EACzB,oGAAoG,CACrG,CACF,CAAC;QACJ,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC9D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC;YACxE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,2BAA2B,EAC3B,oDAAoD,EACpD,qEAAqE,EACrE,KAAK,GAAG,CAAC,EACT,+EAA+E,EAC/E,8EAA8E,EAC9E;gBACE,yCAAyC;gBACzC,8CAA8C;gBAC9C,mDAAmD;gBACnD,4CAA4C;aAC7C,EACD,uBAAuB,EACvB,iFAAiF,EACjF,iGAAiG,CAClG,CACF,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5B,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACxE,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,EAAE,CAAC;YAChD,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,8BAA8B,EAC9B,2DAA2D,EAC3D,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,iGAAiG,EACjG,mEAAmE,EACnE;gBACE,gDAAgD;gBAChD,2CAA2C;gBAC3C,sDAAsD;gBACtD,kDAAkD;aACnD,EACD,6BAA6B,EAC7B,0HAA0H,EAC1H,8FAA8F,CAC/F,CACF,CAAC;QACJ,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC7D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACjE,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACtE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC3C,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACxC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YACnD,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,0BAA0B,EAC1B,gEAAgE,EAChE,sEAAsE,EACtE,KAAK,GAAG,CAAC,EACT,8FAA8F,EAC9F,iFAAiF,EACjF;gBACE,yCAAyC;gBACzC,4BAA4B;gBAC5B,2BAA2B;gBAC3B,4CAA4C;aAC7C,EACD,yBAAyB,EACzB,uDAAuD,EACvD,mFAAmF,CACpF,CACF,CAAC;QACJ,CAAC;QAED,kDAAkD;QAClD,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5D,oFAAoF;YACpF,MAAM,kBAAkB,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBACnG,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;gBAClD,OAAO,WAAW,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;YAC/E,CAAC,CAAC,CAAC;YAEH,IAAI,kBAAkB,EAAE,CAAC;gBACvB,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,6BAA6B,EAC7B,kEAAkE,EAClE,0EAA0E,EAC1E,KAAK,GAAG,CAAC,EACT,8EAA8E,EAC9E,4HAA4H,EAC5H;oBACE,uCAAuC;oBACvC,kDAAkD;oBACpD,kDAAkD;oBAClD,kDAAkD;iBACnD,EACD,iCAAiC,EACjC,wIAAwI,EACxI,8FAA8F,CAC/F,CACA,CAAC;YACJ,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Flask Framework Security Checks
+ * OWASP A01:2021 - Broken Access Control, A02:2021 - Cryptographic Failures, A03:2021 - Injection
+ *
+ * Detects Flask-specific security vulnerabilities including debug mode exposure,
+ * CSRF protection issues, template injection, and weak cryptographic keys.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for Flask framework security vulnerabilities
+ *
+ * Covers:
+ * - Check #28: Debug mode enabled (CRITICAL) - Remote code execution risk
+ * - Check #29: Missing CSRF protection (HIGH) - CSRF vulnerability
+ * - Check #30: render_template_string() with user input (CRITICAL) - SSTI
+ * - Markup() with user input (HIGH) - XSS vulnerability (data flow tracked)
+ * - Check #31: Weak SECRET_KEY (HIGH) - Session security weakness
+ *
+ * @param lines - Array of code lines
+ * @param userInputVariables - Map of variable names assigned from user input
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkFlaskSecurity(lines: string[], userInputVariables: Map<string, number>): SecurityVulnerability[];
+//# sourceMappingURL=flask-security.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"flask-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/flask-security.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,MAAM,EAAE,EACf,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACtC,qBAAqB,EAAE,CA0LzB"}

package/dist/src/lib/analyzers/python/security-checks/flask-security.js

@@ -0,0 +1,143 @@
+"use strict";
+/**
+ * Flask Framework Security Checks
+ * OWASP A01:2021 - Broken Access Control, A02:2021 - Cryptographic Failures, A03:2021 - Injection
+ *
+ * Detects Flask-specific security vulnerabilities including debug mode exposure,
+ * CSRF protection issues, template injection, and weak cryptographic keys.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkFlaskSecurity = checkFlaskSecurity;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for Flask framework security vulnerabilities
+ *
+ * Covers:
+ * - Check #28: Debug mode enabled (CRITICAL) - Remote code execution risk
+ * - Check #29: Missing CSRF protection (HIGH) - CSRF vulnerability
+ * - Check #30: render_template_string() with user input (CRITICAL) - SSTI
+ * - Markup() with user input (HIGH) - XSS vulnerability (data flow tracked)
+ * - Check #31: Weak SECRET_KEY (HIGH) - Session security weakness
+ *
+ * @param lines - Array of code lines
+ * @param userInputVariables - Map of variable names assigned from user input
+ * @returns Array of security vulnerabilities found
+ */
+function checkFlaskSecurity(lines, userInputVariables) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                // Start of multi-line comment
+                inMultiLineComment = true;
+                // Check if it closes on the same line (single-line docstring)
+                const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    // Opens and closes on same line, reset flag
+                    inMultiLineComment = false;
+                }
+                return; // Skip this line
+            }
+            else {
+                // End of multi-line comment
+                inMultiLineComment = false;
+                return; // Skip this line
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmed ||
+            inMultiLineComment ||
+            trimmed.startsWith('#')) {
+            return;
+        }
+        // 28. Flask Debug Mode - CRITICAL (remote code execution)
+        if (trimmed.match(/app\.run\s*\([^)]*debug\s*=\s*True/)) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('flask-debug-mode', 'Flask debug mode enabled allows remote code execution', 'Set debug=False in production or remove debug parameter', lineNumber, 'Running Flask with debug=True in production enables the interactive debugger, allowing anyone with access to error pages to execute arbitrary Python code on the server via the debug console.', 'app.run(debug=True)  # Attacker gets interactive Python shell on any error page', [
+                'Remote code execution (RCE)',
+                'Full server compromise',
+                'Information disclosure (source code, env vars)',
+                'Arbitrary file read/write',
+                'Critical security bypass'
+            ], 'app.run(debug=True, host="0.0.0.0")', 'import os\\nDEBUG = os.environ.get("FLASK_DEBUG", "False") == "True"\\napp.run(debug=DEBUG)  # Or simply: app.run()  (debug=False by default)', 'NEVER use debug=True in production. The Werkzeug debugger allows code execution'));
+        }
+        // 29. Flask Missing CSRF Protection - HIGH
+        // Only flag when Flask app is instantiated, not on import statement
+        if (trimmed.includes('Flask(__name__)') || trimmed.includes('app = Flask(')) {
+            // Check if CSRFProtect is imported/used in the file (skip comments)
+            const hasCSRF = lines.some(line => {
+                const lineTrimmed = line.trim();
+                return !lineTrimmed.startsWith('#') && (lineTrimmed.includes('CSRFProtect') || lineTrimmed.includes('flask_wtf') || lineTrimmed.includes('flask-wtf'));
+            });
+            if (!hasCSRF) {
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('flask-missing-csrf', 'Flask application missing CSRF protection', 'Install flask-wtf and enable CSRFProtect for all forms', lineNumber, 'Flask does not include CSRF protection by default. Without flask-wtf\'s CSRFProtect, forms are vulnerable to Cross-Site Request Forgery attacks.', 'app = Flask(__name__)  # No CSRF protection → Forms vulnerable to CSRF', [
+                    'Cross-Site Request Forgery (CSRF)',
+                    'Unauthorized state changes',
+                    'Account takeover',
+                    'Data manipulation',
+                    'Form submission forgery'
+                ], 'from flask import Flask\\napp = Flask(__name__)', 'from flask import Flask\\nfrom flask_wtf.csrf import CSRFProtect\\n\\napp = Flask(__name__)\\napp.config["SECRET_KEY"] = os.environ.get("SECRET_KEY")\\ncsrf = CSRFProtect(app)  # Enable CSRF protection', 'Always use flask-wtf CSRFProtect. Include {{ csrf_token() }} in all forms'));
+            }
+        }
+        // 30. Flask Unsafe Template Rendering - CRITICAL (SSTI)
+        if (trimmed.includes('render_template_string(') && (trimmed.includes('request.') || trimmed.includes('user_') || trimmed.includes('input'))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('flask-ssti', 'render_template_string() with user input allows Server-Side Template Injection', 'Use render_template() with separate template files, never render user input', lineNumber, 'Flask\'s render_template_string() with user input allows Server-Side Template Injection (SSTI). Attackers can execute arbitrary Python code by injecting Jinja2 template expressions.', 'render_template_string(request.args.get("template"))  # {{ config.__class__.__init__.__globals__[\'os\'].popen(\'ls\').read() }}', [
+                'Server-Side Template Injection (SSTI)',
+                'Remote code execution (RCE)',
+                'Full server compromise',
+                'Information disclosure',
+                'File system access'
+            ], 'html = render_template_string(user_template)', 'from flask import render_template\\n# Use separate template files\\nhtml = render_template("page.html", user_data=user_input)\\n# Template: {{ user_data }}  (auto-escaped)', 'Never use render_template_string() with user input. Use render_template() with files'));
+        }
+        // Flask Markup() XSS (with data flow analysis)
+        // PHASE 6 FIX (2025-11-22): Added data flow tracking for variables
+        if (trimmed.includes('Markup(')) {
+            // Check 1: Direct user input on same line
+            const hasDirectUserInput = trimmed.includes('request.') || trimmed.includes('user_') || trimmed.includes('input');
+            // Check 2: Using ANY tracked user input variable in the Markup() call
+            let usesUserInputVar = false;
+            for (const [varName] of userInputVariables) {
+                // Check if the variable name appears in the Markup() call (with word boundaries)
+                const varRegex = new RegExp(`\\b${varName}\\b`);
+                if (varRegex.test(trimmed)) {
+                    usesUserInputVar = true;
+                    break;
+                }
+            }
+            if (hasDirectUserInput || usesUserInputVar) {
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('flask-markup-xss', 'Markup() with user input bypasses XSS protection', 'Use Flask template auto-escaping instead of Markup()', lineNumber, 'Flask\'s Markup() function marks strings as safe HTML, bypassing auto-escaping. When used with user input, it allows XSS attacks.', 'html = Markup(f"<p>{comment}</p>")  # Where comment = request.args.get("text") → XSS!', [
+                    'Cross-Site Scripting (XSS)',
+                    'Session hijacking',
+                    'Credential theft',
+                    'Malicious script injection',
+                    'Client-side code execution'
+                ], 'from markupsafe import Markup\\nhtml = Markup(user_input)', 'from markupsafe import escape\\n# Let Jinja2 auto-escape in templates\\nhtml = escape(user_input)\\n# Or in template: {{ user_input }}  (auto-escaped)', 'Never use Markup() with user input. Use Jinja2 auto-escaping in templates'));
+            }
+        }
+        // 31. Flask Weak SECRET_KEY - HIGH (session security)
+        if (trimmed.match(/app\.config\[['"](SECRET_KEY|secret_key)['"]\]\s*=\s*['"]/)) {
+            const secretKeyMatch = trimmed.match(/app\.config\[['"](SECRET_KEY|secret_key)['"]\]\s*=\s*['"]([^'"]+)['"]/);
+            if (secretKeyMatch) {
+                const secretKey = secretKeyMatch[2];
+                const isWeak = secretKey.length < 32 ||
+                    /^(secret|flask|12345|password|key|test|abc|demo)/i.test(secretKey) ||
+                    secretKey === 'your-secret-key-here';
+                if (isWeak) {
+                    vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('flask-weak-secret-key', 'Flask SECRET_KEY is weak or hardcoded', 'Generate a strong random SECRET_KEY and store in environment variables', lineNumber, 'Flask\'s SECRET_KEY is used to cryptographically sign session cookies. A weak or hardcoded key allows attackers to forge session cookies and impersonate any user.', 'app.config["SECRET_KEY"] = "123"  # Attacker can forge cookies to become admin', [
+                        'Session forgery',
+                        'Cookie tampering',
+                        'Authentication bypass',
+                        'Account takeover',
+                        'Privilege escalation'
+                    ], 'app.config["SECRET_KEY"] = "flask-secret"', 'import os\\nimport secrets\\n\\nSECRET_KEY = os.environ.get("FLASK_SECRET_KEY")\\nif not SECRET_KEY:\\n    raise ValueError("FLASK_SECRET_KEY environment variable not set")\\napp.config["SECRET_KEY"] = SECRET_KEY\\n# Generate with: python -c \'import secrets; print(secrets.token_hex(32))\'', 'Generate strong key: secrets.token_hex(32). Never hardcode. Use environment variables'));
+                }
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=flask-security.js.map

package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"flask-security.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/flask-security.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAmBH,gDA6LC;AA7MD,sEAAiF;AAEjF;;;;;;;;;;;;;GAaG;AACH,SAAgB,kBAAkB,CAChC,KAAe,EACf,kBAAuC;IAEvC,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO;YACR,kBAAkB;YAClB,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,OAAO;QACT,CAAC;QAED,0DAA0D;QAC1D,IAAI,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC,EAAE,CAAC;YACxD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,kBAAkB,EAClB,uDAAuD,EACvD,yDAAyD,EACzD,UAAU,EACV,gMAAgM,EAChM,iFAAiF,EACjF;gBACE,6BAA6B;gBAC7B,wBAAwB;gBACxB,gDAAgD;gBAChD,2BAA2B;gBAC3B,0BAA0B;aAC3B,EACD,qCAAqC,EACrC,+IAA+I,EAC/I,iFAAiF,CAClF,CAAC,CAAC;QACL,CAAC;QAED,2CAA2C;QAC3C,oEAAoE;QACpE,IAAI,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YAC5E,oEAAoE;YACpE,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAChC,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;gBAChC,OAAO,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CACrC,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,CAC9G,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,oBAAoB,EACpB,2CAA2C,EAC3C,wDAAwD,EACxD,UAAU,EACV,kJAAkJ,EAClJ,wEAAwE,EACxE;oBACE,mCAAmC;oBACnC,4BAA4B;oBAC5B,kBAAkB;oBAClB,mBAAmB;oBACnB,yBAAyB;iBAC1B,EACD,iDAAiD,EACjD,2MAA2M,EAC3M,2EAA2E,CAC5E,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,IAAI,OAAO,CAAC,QAAQ,CAAC,yBAAyB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC5I,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,gFAAgF,EAChF,6EAA6E,EAC7E,UAAU,EACV,uLAAuL,EACvL,kIAAkI,EAClI;gBACE,uCAAuC;gBACvC,6BAA6B;gBAC7B,wBAAwB;gBACxB,wBAAwB;gBACxB,oBAAoB;aACrB,EACD,8CAA8C,EAC9C,6KAA6K,EAC7K,sFAAsF,CACvF,CAAC,CAAC;QACL,CAAC;QAED,+CAA+C;QAC/C,mEAAmE;QACnE,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,0CAA0C;YAC1C,MAAM,kBAAkB,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAElH,sEAAsE;YACtE,IAAI,gBAAgB,GAAG,KAAK,CAAC;YAC7B,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,kBAAkB,EAAE,CAAC;gBAC3C,iFAAiF;gBACjF,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,MAAM,OAAO,KAAK,CAAC,CAAC;gBAChD,IAAI,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3B,gBAAgB,GAAG,IAAI,CAAC;oBACxB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,kBAAkB,IAAI,gBAAgB,EAAE,CAAC;gBAC3C,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,kBAAkB,EAClB,kDAAkD,EAClD,sDAAsD,EACtD,UAAU,EACV,mIAAmI,EACnI,uFAAuF,EACzF;oBACE,4BAA4B;oBAC5B,mBAAmB;oBACnB,kBAAkB;oBAClB,4BAA4B;oBAC5B,4BAA4B;iBAC7B,EACD,2DAA2D,EAC3D,wJAAwJ,EACxJ,2EAA2E,CAC5E,CAAC,CAAC;YACH,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,EAAE,CAAC;YAC/E,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,uEAAuE,CAAC,CAAC;YAC9G,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;gBACpC,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,EAAE;oBACrB,mDAAmD,CAAC,IAAI,CAAC,SAAS,CAAC;oBACnE,SAAS,KAAK,sBAAsB,CAAC;gBAEpD,IAAI,MAAM,EAAE,CAAC;oBACX,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,uCAAuC,EACvC,wEAAwE,EACxE,UAAU,EACV,oKAAoK,EACpK,gFAAgF,EAChF;wBACE,iBAAiB;wBACjB,kBAAkB;wBAClB,uBAAuB;wBACvB,kBAAkB;wBAClB,sBAAsB;qBACvB,EACD,2CAA2C,EAC3C,oSAAoS,EACpS,uFAAuF,CACxF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Python Injection Attack Security Checks
+ * OWASP A03:2021 - Injection
+ *
+ * Detects code injection, SQL injection, and command injection vulnerabilities
+ * in Python code. These are among the most critical security risks.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for injection attack vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: eval() usage (CRITICAL)
+ * - Check #2: exec() usage (CRITICAL)
+ * - Check #3: compile() usage (HIGH)
+ * - Check #4: SQL Injection - Inline interpolation (CRITICAL)
+ * - Check #4b: SQL Injection - Data flow tracking (CRITICAL)
+ * - Check #5: Command Injection (CRITICAL)
+ * - Check #5b: subprocess.Popen without shell=False (HIGH)
+ * - Check #6: shell=True in subprocess (HIGH)
+ * - Check #6b: subprocess.Popen with shell=True (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @param unsafeSqlVariables - Map of variable names with unsafe SQL string formatting
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkInjectionAttacks(lines: string[], unsafeSqlVariables: Map<string, number>): SecurityVulnerability[];
+//# sourceMappingURL=injection-attacks.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-attacks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/injection-attacks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EAAE,EACf,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACtC,qBAAqB,EAAE,CAmQzB"}

package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js

@@ -0,0 +1,174 @@
+"use strict";
+/**
+ * Python Injection Attack Security Checks
+ * OWASP A03:2021 - Injection
+ *
+ * Detects code injection, SQL injection, and command injection vulnerabilities
+ * in Python code. These are among the most critical security risks.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkInjectionAttacks = checkInjectionAttacks;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for injection attack vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: eval() usage (CRITICAL)
+ * - Check #2: exec() usage (CRITICAL)
+ * - Check #3: compile() usage (HIGH)
+ * - Check #4: SQL Injection - Inline interpolation (CRITICAL)
+ * - Check #4b: SQL Injection - Data flow tracking (CRITICAL)
+ * - Check #5: Command Injection (CRITICAL)
+ * - Check #5b: subprocess.Popen without shell=False (HIGH)
+ * - Check #6: shell=True in subprocess (HIGH)
+ * - Check #6b: subprocess.Popen with shell=True (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @param unsafeSqlVariables - Map of variable names with unsafe SQL string formatting
+ * @returns Array of security vulnerabilities found
+ */
+function checkInjectionAttacks(lines, unsafeSqlVariables) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
+        const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
+        if (hasTripleQuote) {
+            if (!inMultiLineComment) {
+                inMultiLineComment = true;
+                const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
+                if (tripleQuoteCount >= 2) {
+                    inMultiLineComment = false;
+                }
+                return;
+            }
+            else {
+                inMultiLineComment = false;
+                return;
+            }
+        }
+        // CRITICAL: Skip all lines inside multi-line comments and single-line comments
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('#')) {
+            return;
+        }
+        // OWASP A03:2021 - Injection
+        // 1. eval() - CRITICAL
+        if (trimmed.includes('eval(')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('eval-usage', 'eval() allows arbitrary code execution', 'Use ast.literal_eval() for safe data or json.loads() for JSON', lineNumber, 'Python\'s eval() executes arbitrary Python expressions, allowing attackers to execute any code if user input reaches eval().', 'eval(user_input) where user_input = "__import__(\'os\').system(\'rm -rf /\')"', [
+                'Remote Code Execution (RCE)',
+                'Complete system compromise',
+                'Data theft and exfiltration',
+                'File system access'
+            ], 'result = eval(user_input)', 'import ast\nresult = ast.literal_eval(user_input)  # Safe for literals only\n# Or: import json; result = json.loads(user_input)', 'Use ast.literal_eval() for Python literals or json.loads() for JSON. Never use eval() with untrusted input'));
+        }
+        // 2. exec() - CRITICAL
+        if (trimmed.includes('exec(')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('eval-usage', 'exec() allows arbitrary code execution', 'Redesign code to avoid dynamic execution entirely', lineNumber, 'exec() executes arbitrary Python code, including statements and function definitions, making it even more dangerous than eval().', 'exec(user_code) where user_code = "import subprocess; subprocess.run([\'rm\', \'-rf\', \'/\'])"', [
+                'Remote Code Execution (RCE)',
+                'Full system access',
+                'Data manipulation',
+                'Privilege escalation'
+            ], 'exec(dynamic_code)', '# Refactor to avoid dynamic code execution\n# Use configuration files, function mappings, or plugins instead', 'exec() should never be used with untrusted input. Redesign architecture to eliminate need for dynamic code execution'));
+        }
+        // 3. compile() - HIGH
+        if (trimmed.includes('compile(')) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('eval-usage', 'compile() can execute arbitrary code', 'Avoid compile() with untrusted input, validate strictly if required', lineNumber, 'compile() creates code objects that can be executed with exec(), providing another vector for code injection.', 'code = compile(user_input, "<string>", "exec"); exec(code)', [
+                'Code injection',
+                'Remote code execution',
+                'Bypass of security controls'
+            ], 'code_obj = compile(source, "<string>", "exec")', '# Avoid entirely or implement strict sandboxing\n# Consider using RestrictedPython for sandboxed execution', 'Avoid compile() with untrusted input. If absolutely necessary, use sandboxing libraries like RestrictedPython'));
+        }
+        // 4. SQL Injection - CRITICAL
+        // Pattern 1: Inline string interpolation in execute()
+        if (trimmed.match(/execute\s*\(\s*[f"'].*%.*[f"']/) ||
+            trimmed.match(/execute\s*\(\s*[f"'].*\+.*[f"']/) ||
+            trimmed.match(/execute\s*\(\s*f['"]/)) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('sql-injection', 'SQL Injection with string interpolation detected', 'Use parameterized queries with placeholders', lineNumber, 'String interpolation or concatenation in SQL queries allows attackers to inject malicious SQL code, bypassing authentication and accessing the entire database.', 'cursor.execute(f"SELECT * FROM users WHERE id = {user_id}") where user_id = "1 OR 1=1"', [
+                'Full database access (read/write/delete)',
+                'Authentication bypass',
+                'Data exfiltration',
+                'Data destruction',
+                'Privilege escalation'
+            ], 'cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")', 'cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))\n# Or: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))', 'Always use parameterized queries where user input is passed as separate parameters, never interpolated into the query string'));
+        }
+        // Pattern 2: Data flow - execute() with unsafe SQL variable (FIX #1)
+        // Detects: query = f"SELECT..."; cursor.execute(query)
+        if (trimmed.match(/execute\s*\(\s*(\w+)\s*[,)]/)) {
+            const executeVarMatch = trimmed.match(/execute\s*\(\s*(\w+)\s*[,)]/);
+            if (executeVarMatch) {
+                const varName = executeVarMatch[1];
+                if (unsafeSqlVariables.has(varName)) {
+                    const unsafeVarLine = unsafeSqlVariables.get(varName);
+                    vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('sql-injection', `SQL Injection via unsafe variable '${varName}' (constructed on line ${unsafeVarLine})`, 'Use parameterized queries with placeholders', lineNumber, `Variable '${varName}' contains SQL query with string interpolation (line ${unsafeVarLine}), then passed to execute() without parameterization. This allows SQL injection attacks.`, `query = f"SELECT * FROM users WHERE id = {user_id}"  # Line ${unsafeVarLine}\ncursor.execute(query)  # Line ${lineNumber} - Vulnerable!`, [
+                        'Full database access (read/write/delete)',
+                        'Authentication bypass',
+                        'Data exfiltration',
+                        'Data destruction',
+                        'Privilege escalation'
+                    ], `# Line ${unsafeVarLine}:\nquery = f"SELECT * FROM users WHERE id = {user_id}"\n# Line ${lineNumber}:\ncursor.execute(query)`, 'cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))\n# Or: cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))', 'Always use parameterized queries where user input is passed as separate parameters, never interpolated into the query string'));
+                }
+            }
+        }
+        // 5. Command Injection - CRITICAL
+        if ((trimmed.includes('os.system(') || trimmed.includes('subprocess.call(') ||
+            trimmed.includes('subprocess.run(') || trimmed.includes('subprocess.Popen(')) &&
+            (trimmed.includes('+') || trimmed.includes('f"') || trimmed.includes("f'"))) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('command-injection', 'Command Injection vulnerability detected', 'Use subprocess with shell=False and pass command as list', lineNumber, 'Concatenating user input into shell commands allows attackers to execute arbitrary system commands with the application\'s privileges.', 'os.system(f"ls {user_path}") where user_path = "; rm -rf /"', [
+                'Remote Code Execution (RCE)',
+                'Complete system compromise',
+                'Data deletion',
+                'Privilege escalation',
+                'Backdoor installation'
+            ], 'os.system(f"ls {user_dir}")', 'import subprocess\nsubprocess.run(["ls", user_dir], shell=False)  # Arguments as list, shell=False', 'Use subprocess with shell=False and pass command and arguments as a list. Never concatenate user input into shell commands'));
+        }
+        // 5b. subprocess.Popen without explicit shell=False - HIGH (Priority 1 Improvement)
+        // Detects subprocess.Popen calls that don't explicitly set shell=False
+        if (trimmed.includes('subprocess.Popen(') &&
+            !trimmed.includes('shell=False') &&
+            !trimmed.includes('shell = False')) {
+            // Check if there are signs of user input or variable usage
+            const hasVariables = trimmed.match(/Popen\([^)]*[a-zA-Z_][a-zA-Z0-9_]*[^)]*\)/) ||
+                trimmed.includes('.format(') ||
+                trimmed.includes('.join(');
+            if (hasVariables) {
+                vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('command-injection', 'subprocess.Popen without explicit shell=False may be unsafe', 'Explicitly set shell=False and pass command as a list', lineNumber, 'subprocess.Popen without explicitly setting shell=False defaults to shell=False in Python 3, but for clarity and security, always explicitly set shell=False and pass commands as a list to prevent command injection.', 'subprocess.Popen(cmd) where cmd = ["sh", "-c", user_input]', [
+                    'Potential command injection',
+                    'Unclear security posture',
+                    'Shell interpretation if command contains special chars',
+                    'Difficult security audit'
+                ], 'subprocess.Popen(command)', 'subprocess.Popen(command, shell=False)  # Explicit is better than implicit', 'Always explicitly set shell=False in subprocess.Popen() calls and pass the command as a list of strings to prevent shell interpretation'));
+            }
+        }
+        // 6. shell=True in subprocess - HIGH
+        if (trimmed.match(/subprocess\.\w+\(.*shell\s*=\s*True/)) {
+            vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('command-injection', 'subprocess with shell=True enables command injection', 'Use shell=False (default) and pass command as list', lineNumber, 'shell=True invokes a shell interpreter, which interprets special characters and allows command injection if user input is present.', 'subprocess.run(cmd, shell=True) where cmd = "ls; rm -rf /"', [
+                'Command injection',
+                'Shell command execution',
+                'System compromise',
+                'Data loss'
+            ], 'subprocess.run(command, shell=True)', 'subprocess.run(["command", "arg1", "arg2"], shell=False)  # Safe, no shell interpretation', 'Always use shell=False and pass commands as lists. Only use shell=True for trusted, hardcoded commands'));
+        }
+        // 6b. subprocess.Popen specifically (additional check for multi-line or standalone Popen calls)
+        // PRIORITY 1 FIX: Ensure subprocess.Popen with shell=True is always detected
+        if (trimmed.includes('subprocess.Popen(') && trimmed.includes('shell') && trimmed.includes('True')) {
+            // Check if this Popen call has shell=True
+            if (trimmed.match(/subprocess\.Popen\([^)]*shell\s*=\s*True/) ||
+                trimmed.match(/shell\s*=\s*True[^)]*subprocess\.Popen/)) {
+                // Skip if already reported by previous check
+                const alreadyReported = vulnerabilities.some(v => v.line === lineNumber && v.message.includes('shell=True'));
+                if (!alreadyReported) {
+                    vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('command-injection', 'subprocess.Popen with shell=True enables command injection', 'Use shell=False (default) and pass command as list', lineNumber, 'subprocess.Popen() with shell=True invokes a shell interpreter, which interprets special characters and allows command injection if user input is present.', 'subprocess.Popen(cmd, shell=True) where cmd = "ls; rm -rf /"', [
+                        'Command injection',
+                        'Shell command execution',
+                        'System compromise',
+                        'Data loss'
+                    ], 'subprocess.Popen(command, shell=True, stdout=subprocess.PIPE)', 'subprocess.Popen(["command", "arg1", "arg2"], shell=False, stdout=subprocess.PIPE)  # Safe', 'Always use shell=False with Popen and pass commands as lists. Only use shell=True for trusted, hardcoded commands'));
+                }
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=injection-attacks.js.map

package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAuBH,sDAsQC;AA1RD,sEAAiF;AAEjF;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,qBAAqB,CACnC,KAAe,EACf,kBAAuC;IAEvC,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,6BAA6B;QAC7B,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,wCAAwC,EACxC,+DAA+D,EAC/D,UAAU,EACV,8HAA8H,EAC9H,+EAA+E,EAC/E;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,6BAA6B;gBAC7B,oBAAoB;aACrB,EACD,2BAA2B,EAC3B,iIAAiI,EACjI,4GAA4G,CAC7G,CAAC,CAAC;QACL,CAAC;QAED,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,wCAAwC,EACxC,mDAAmD,EACnD,UAAU,EACV,kIAAkI,EAClI,iGAAiG,EACjG;gBACE,6BAA6B;gBAC7B,oBAAoB;gBACpB,mBAAmB;gBACnB,sBAAsB;aACvB,EACD,oBAAoB,EACpB,8GAA8G,EAC9G,sHAAsH,CACvH,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,sCAAsC,EACtC,qEAAqE,EACrE,UAAU,EACV,+GAA+G,EAC/G,4DAA4D,EAC5D;gBACE,gBAAgB;gBAChB,uBAAuB;gBACvB,6BAA6B;aAC9B,EACD,gDAAgD,EAChD,4GAA4G,EAC5G,+GAA+G,CAChH,CAAC,CAAC;QACL,CAAC;QAED,8BAA8B;QAC9B,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC;YAC/C,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC;YAChD,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,eAAe,EACf,kDAAkD,EAClD,6CAA6C,EAC7C,UAAU,EACV,iKAAiK,EACjK,wFAAwF,EACxF;gBACE,0CAA0C;gBAC1C,uBAAuB;gBACvB,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,6DAA6D,EAC7D,uIAAuI,EACvI,8HAA8H,CAC/H,CAAC,CAAC;QACL,CAAC;QAED,qEAAqE;QACrE,uDAAuD;QACvD,IAAI,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACjD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACrE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpC,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;oBACvD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,eAAe,EACf,sCAAsC,OAAO,0BAA0B,aAAa,GAAG,EACvF,6CAA6C,EAC7C,UAAU,EACV,aAAa,OAAO,wDAAwD,aAAa,0FAA0F,EACnL,+DAA+D,aAAa,mCAAmC,UAAU,gBAAgB,EACzI;wBACE,0CAA0C;wBAC1C,uBAAuB;wBACvB,mBAAmB;wBACnB,kBAAkB;wBAClB,sBAAsB;qBACvB,EACD,UAAU,aAAa,kEAAkE,UAAU,0BAA0B,EAC7H,uIAAuI,EACvI,8HAA8H,CAC/H,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACtE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;YAC9E,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAChF,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,0CAA0C,EAC1C,0DAA0D,EAC1D,UAAU,EACV,wIAAwI,EACxI,6DAA6D,EAC7D;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,eAAe;gBACf,sBAAsB;gBACtB,uBAAuB;aACxB,EACD,6BAA6B,EAC7B,oGAAoG,EACpG,4HAA4H,CAC7H,CAAC,CAAC;QACL,CAAC;QAED,oFAAoF;QACpF,uEAAuE;QACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YACrC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACvC,2DAA2D;YAC3D,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC;gBAC3D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE/C,IAAI,YAAY,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,6DAA6D,EAC7D,uDAAuD,EACvD,UAAU,EACV,wNAAwN,EACxN,4DAA4D,EAC5D;oBACE,6BAA6B;oBAC7B,0BAA0B;oBAC1B,wDAAwD;oBACxD,0BAA0B;iBAC3B,EACD,2BAA2B,EAC3B,4EAA4E,EAC5E,yIAAyI,CAC1I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,sDAAsD,EACtD,oDAAoD,EACpD,UAAU,EACV,oIAAoI,EACpI,4DAA4D,EAC5D;gBACE,mBAAmB;gBACnB,yBAAyB;gBACzB,mBAAmB;gBACnB,WAAW;aACZ,EACD,qCAAqC,EACrC,2FAA2F,EAC3F,wGAAwG,CACzG,CAAC,CAAC;QACL,CAAC;QAED,gGAAgG;QAChG,6EAA6E;QAC7E,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACnG,0CAA0C;YAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC;gBACzD,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,EAAE,CAAC;gBAC5D,6CAA6C;gBAC7C,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC/C,CAAC,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAC1D,CAAC;gBAEF,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,4DAA4D,EAC5D,oDAAoD,EACpD,UAAU,EACV,4JAA4J,EAC5J,8DAA8D,EAC9D;wBACE,mBAAmB;wBACnB,yBAAyB;wBACzB,mBAAmB;wBACnB,WAAW;qBACZ,EACD,+DAA+D,EAC/D,4FAA4F,EAC5F,mHAAmH,CACpH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Python Insecure Design Security Checks
+ * OWASP A06:2025 - Insecure Design
+ *
+ * Detects design-level security flaws that cannot be fixed by implementation alone.
+ * This is a NEW category in OWASP 2025 focusing on missing security controls.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for insecure design vulnerabilities in Python code
+ *
+ * Covers:
+ * - Check #1: Missing rate limiting on sensitive endpoints (HIGH)
+ * - Check #2: Mass assignment vulnerabilities (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkInsecureDesign(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=insecure-design.d.ts.map

package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-design.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/insecure-design.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAsMzB"}