codeslick-cli 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +458 -0
- package/__tests__/cli-reporter.test.ts +86 -0
- package/__tests__/config-loader.test.ts +247 -0
- package/__tests__/local-scanner.test.ts +245 -0
- package/bin/codeslick.cjs +153 -0
- package/dist/packages/cli/src/commands/auth.d.ts +36 -0
- package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/auth.js +226 -0
- package/dist/packages/cli/src/commands/auth.js.map +1 -0
- package/dist/packages/cli/src/commands/config.d.ts +37 -0
- package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/config.js +196 -0
- package/dist/packages/cli/src/commands/config.js.map +1 -0
- package/dist/packages/cli/src/commands/init.d.ts +32 -0
- package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/init.js +171 -0
- package/dist/packages/cli/src/commands/init.js.map +1 -0
- package/dist/packages/cli/src/commands/scan.d.ts +40 -0
- package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
- package/dist/packages/cli/src/commands/scan.js +204 -0
- package/dist/packages/cli/src/commands/scan.js.map +1 -0
- package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
- package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
- package/dist/packages/cli/src/config/config-loader.js +146 -0
- package/dist/packages/cli/src/config/config-loader.js.map +1 -0
- package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
- package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
- package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
- package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
- package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
- package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
- package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
- package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
- package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
- package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
- package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
- package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
- package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
- package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
- package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
- package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
- package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
- package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
- package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
- package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
- package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
- package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
- package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
- package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
- package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
- package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
- package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
- package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
- package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
- package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
- package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
- package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
- package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
- package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
- package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
- package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
- package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
- package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
- package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
- package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
- package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
- package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
- package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
- package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
- package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
- package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
- package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
- package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
- package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
- package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
- package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
- package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
- package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
- package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
- package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
- package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
- package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
- package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
- package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
- package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
- package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
- package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
- package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
- package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
- package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
- package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
- package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
- package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
- package/dist/src/lib/analyzers/types.d.ts +92 -0
- package/dist/src/lib/analyzers/types.d.ts.map +1 -0
- package/dist/src/lib/analyzers/types.js +3 -0
- package/dist/src/lib/analyzers/types.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
- package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
- package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
- package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
- package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
- package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
- package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
- package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
- package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
- package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
- package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
- package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
- package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
- package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
- package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
- package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
- package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
- package/dist/src/lib/security/compliance-mapping.js +1342 -0
- package/dist/src/lib/security/compliance-mapping.js.map +1 -0
- package/dist/src/lib/security/severity-scoring.d.ts +47 -0
- package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
- package/dist/src/lib/security/severity-scoring.js +965 -0
- package/dist/src/lib/security/severity-scoring.js.map +1 -0
- package/dist/src/lib/standards/references.d.ts +16 -0
- package/dist/src/lib/standards/references.d.ts.map +1 -0
- package/dist/src/lib/standards/references.js +1161 -0
- package/dist/src/lib/standards/references.js.map +1 -0
- package/dist/src/lib/types/index.d.ts +167 -0
- package/dist/src/lib/types/index.d.ts.map +1 -0
- package/dist/src/lib/types/index.js +3 -0
- package/dist/src/lib/types/index.js.map +1 -0
- package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
- package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
- package/dist/src/lib/utils/code-cleaner.js +283 -0
- package/dist/src/lib/utils/code-cleaner.js.map +1 -0
- package/package.json +51 -0
- package/src/commands/auth.ts +308 -0
- package/src/commands/config.ts +226 -0
- package/src/commands/init.ts +202 -0
- package/src/commands/scan.ts +238 -0
- package/src/config/config-loader.ts +175 -0
- package/src/reporters/cli-reporter.ts +282 -0
- package/src/scanner/local-scanner.ts +250 -0
- package/tsconfig.json +24 -0
- package/tsconfig.tsbuildinfo +1 -0
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Python Security Misconfiguration Checks
|
|
3
|
+
* OWASP A02:2025 - Security Misconfiguration
|
|
4
|
+
*
|
|
5
|
+
* Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
|
|
6
|
+
* Focus: Django/Flask debug modes, settings, AWS configs, etc.
|
|
7
|
+
*/
|
|
8
|
+
import { SecurityVulnerability } from '../../types';
|
|
9
|
+
/**
|
|
10
|
+
* Checks for security misconfiguration vulnerabilities in Python code
|
|
11
|
+
*
|
|
12
|
+
* Covers:
|
|
13
|
+
* - Check #1: Django DEBUG mode enabled (HIGH)
|
|
14
|
+
* - Check #2: Flask debug mode enabled (HIGH)
|
|
15
|
+
* - Check #3: Django SECRET_KEY hardcoded (CRITICAL)
|
|
16
|
+
* - Check #4: Flask SECRET_KEY hardcoded (CRITICAL)
|
|
17
|
+
* - Check #5: Default Django settings not changed (MEDIUM)
|
|
18
|
+
* - Check #6: AWS credentials in source code (CRITICAL)
|
|
19
|
+
* - Check #7: Database credentials exposed (CRITICAL)
|
|
20
|
+
* - Check #8: Detailed error responses in production (MEDIUM)
|
|
21
|
+
*
|
|
22
|
+
* @param lines - Array of code lines
|
|
23
|
+
* @returns Array of security vulnerabilities found
|
|
24
|
+
*/
|
|
25
|
+
export declare function checkSecurityMisconfiguration(lines: string[]): SecurityVulnerability[];
|
|
26
|
+
//# sourceMappingURL=security-misconfiguration.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-misconfiguration.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/security-misconfiguration.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA+XzB"}
|
|
@@ -0,0 +1,375 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Python Security Misconfiguration Checks
|
|
4
|
+
* OWASP A02:2025 - Security Misconfiguration
|
|
5
|
+
*
|
|
6
|
+
* Detects security misconfigurations that moved from #5 to #2 in OWASP 2025.
|
|
7
|
+
* Focus: Django/Flask debug modes, settings, AWS configs, etc.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.checkSecurityMisconfiguration = checkSecurityMisconfiguration;
|
|
11
|
+
const createVulnerability_1 = require("../utils/createVulnerability");
|
|
12
|
+
/**
|
|
13
|
+
* Checks for security misconfiguration vulnerabilities in Python code
|
|
14
|
+
*
|
|
15
|
+
* Covers:
|
|
16
|
+
* - Check #1: Django DEBUG mode enabled (HIGH)
|
|
17
|
+
* - Check #2: Flask debug mode enabled (HIGH)
|
|
18
|
+
* - Check #3: Django SECRET_KEY hardcoded (CRITICAL)
|
|
19
|
+
* - Check #4: Flask SECRET_KEY hardcoded (CRITICAL)
|
|
20
|
+
* - Check #5: Default Django settings not changed (MEDIUM)
|
|
21
|
+
* - Check #6: AWS credentials in source code (CRITICAL)
|
|
22
|
+
* - Check #7: Database credentials exposed (CRITICAL)
|
|
23
|
+
* - Check #8: Detailed error responses in production (MEDIUM)
|
|
24
|
+
*
|
|
25
|
+
* @param lines - Array of code lines
|
|
26
|
+
* @returns Array of security vulnerabilities found
|
|
27
|
+
*/
|
|
28
|
+
function checkSecurityMisconfiguration(lines) {
|
|
29
|
+
const vulnerabilities = [];
|
|
30
|
+
let inMultiLineComment = false;
|
|
31
|
+
lines.forEach((line, index) => {
|
|
32
|
+
const trimmedLine = line.trim();
|
|
33
|
+
// CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
|
|
34
|
+
const hasTripleQuote = trimmedLine.includes('"""') || trimmedLine.includes("'''");
|
|
35
|
+
if (hasTripleQuote) {
|
|
36
|
+
if (!inMultiLineComment) {
|
|
37
|
+
// Start of multi-line comment
|
|
38
|
+
inMultiLineComment = true;
|
|
39
|
+
// Check if it closes on the same line (single-line docstring)
|
|
40
|
+
const tripleQuoteCount = (trimmedLine.match(/"""/g) || []).length + (trimmedLine.match(/'''/g) || []).length;
|
|
41
|
+
if (tripleQuoteCount >= 2) {
|
|
42
|
+
// Opens and closes on same line, reset flag
|
|
43
|
+
inMultiLineComment = false;
|
|
44
|
+
}
|
|
45
|
+
return; // Skip this line
|
|
46
|
+
}
|
|
47
|
+
else {
|
|
48
|
+
// End of multi-line comment
|
|
49
|
+
inMultiLineComment = false;
|
|
50
|
+
return; // Skip this line
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
// CRITICAL: Skip all lines inside multi-line comments and single-line comments
|
|
54
|
+
if (!trimmedLine ||
|
|
55
|
+
inMultiLineComment ||
|
|
56
|
+
trimmedLine.startsWith('#')) {
|
|
57
|
+
return;
|
|
58
|
+
}
|
|
59
|
+
const lowerLine = trimmedLine.toLowerCase();
|
|
60
|
+
// Check #1: Django DEBUG mode enabled
|
|
61
|
+
// Don't flag if using environment variables (proper pattern: os.getenv, os.environ)
|
|
62
|
+
// Don't flag Flask function parameters (app.run(debug=True) is handled by Flask-specific check)
|
|
63
|
+
if (lowerLine.includes('debug') && lowerLine.includes('=') && lowerLine.includes('true') &&
|
|
64
|
+
!lowerLine.includes('os.getenv') && !lowerLine.includes('os.environ') &&
|
|
65
|
+
!lowerLine.includes('getenv(') &&
|
|
66
|
+
!lowerLine.includes('app.run(') && !lowerLine.includes('.run(')) { // Skip Flask function calls
|
|
67
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
68
|
+
category: 'Security Misconfiguration',
|
|
69
|
+
severity: 'HIGH',
|
|
70
|
+
confidence: 'HIGH',
|
|
71
|
+
message: 'Django DEBUG mode enabled in production',
|
|
72
|
+
line: index + 1,
|
|
73
|
+
suggestion: 'Set DEBUG = False in production and use environment variables',
|
|
74
|
+
owasp: 'A02:2025',
|
|
75
|
+
cwe: 'CWE-489',
|
|
76
|
+
pciDss: 'Requirement 6.1',
|
|
77
|
+
remediation: {
|
|
78
|
+
explanation: 'DEBUG mode exposes sensitive information including stack traces, SQL queries, and internal paths',
|
|
79
|
+
before: 'DEBUG = True',
|
|
80
|
+
after: 'DEBUG = os.getenv("DEBUG", "False").lower() == "true"'
|
|
81
|
+
},
|
|
82
|
+
attackVector: {
|
|
83
|
+
description: 'DEBUG mode reveals sensitive application internals to attackers',
|
|
84
|
+
realWorldImpact: [
|
|
85
|
+
'Exposure of source code and file paths',
|
|
86
|
+
'Database query revelation with sensitive data',
|
|
87
|
+
'Environment variables and settings disclosure',
|
|
88
|
+
'Stack traces revealing application architecture'
|
|
89
|
+
]
|
|
90
|
+
}
|
|
91
|
+
}));
|
|
92
|
+
}
|
|
93
|
+
// Check #2: Flask debug mode enabled
|
|
94
|
+
// Don't flag if using environment variables or debug=False
|
|
95
|
+
if (lowerLine.includes('app.run') && lowerLine.includes('debug') && lowerLine.includes('true') &&
|
|
96
|
+
!lowerLine.includes('os.getenv') && !lowerLine.includes('os.environ') &&
|
|
97
|
+
!lowerLine.includes('getenv(') && !lowerLine.includes('debug=false')) {
|
|
98
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
99
|
+
category: 'Security Misconfiguration',
|
|
100
|
+
severity: 'HIGH',
|
|
101
|
+
confidence: 'HIGH',
|
|
102
|
+
message: 'Flask debug mode enabled in production',
|
|
103
|
+
line: index + 1,
|
|
104
|
+
suggestion: 'Set debug=False in production deployments',
|
|
105
|
+
owasp: 'A02:2025',
|
|
106
|
+
cwe: 'CWE-489',
|
|
107
|
+
pciDss: 'Requirement 6.1',
|
|
108
|
+
remediation: {
|
|
109
|
+
explanation: 'Flask debug mode enables code reloading and exposes the interactive debugger',
|
|
110
|
+
before: 'app.run(debug=True)',
|
|
111
|
+
after: 'app.run(debug=os.getenv("FLASK_DEBUG", "False").lower() == "true")'
|
|
112
|
+
},
|
|
113
|
+
attackVector: {
|
|
114
|
+
description: 'Debug mode provides interactive debugger and exposes internal application state',
|
|
115
|
+
realWorldImpact: [
|
|
116
|
+
'Interactive debugger access in browser',
|
|
117
|
+
'Code execution through debug console',
|
|
118
|
+
'Source code and variable inspection',
|
|
119
|
+
'Application state manipulation'
|
|
120
|
+
]
|
|
121
|
+
}
|
|
122
|
+
}));
|
|
123
|
+
}
|
|
124
|
+
// Check #3: Django SECRET_KEY hardcoded (NOT Flask - exclude app.secret_key and app.config patterns)
|
|
125
|
+
if (lowerLine.includes('secret_key') && lowerLine.includes('=') &&
|
|
126
|
+
(trimmedLine.includes("'") || trimmedLine.includes('"')) &&
|
|
127
|
+
!lowerLine.includes('os.environ') && !lowerLine.includes('getenv') &&
|
|
128
|
+
!lowerLine.includes('app.secret_key') && !lowerLine.includes('app.config')) {
|
|
129
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
130
|
+
category: 'Security Misconfiguration',
|
|
131
|
+
severity: 'CRITICAL',
|
|
132
|
+
confidence: 'HIGH',
|
|
133
|
+
message: 'Django SECRET_KEY hardcoded in source code',
|
|
134
|
+
line: index + 1,
|
|
135
|
+
suggestion: 'Use environment variables to store SECRET_KEY securely',
|
|
136
|
+
owasp: 'A02:2025',
|
|
137
|
+
cwe: 'CWE-798',
|
|
138
|
+
pciDss: 'Requirement 3.4',
|
|
139
|
+
remediation: {
|
|
140
|
+
explanation: 'Hardcoded SECRET_KEY compromises session security and CSRF protection',
|
|
141
|
+
before: 'SECRET_KEY = "django-insecure-hardcoded-key"',
|
|
142
|
+
after: 'SECRET_KEY = os.environ.get("SECRET_KEY")'
|
|
143
|
+
},
|
|
144
|
+
attackVector: {
|
|
145
|
+
description: 'SECRET_KEY exposure enables session forgery and CSRF attacks',
|
|
146
|
+
realWorldImpact: [
|
|
147
|
+
'Session hijacking and forgery',
|
|
148
|
+
'CSRF token prediction and bypass',
|
|
149
|
+
'Cookie tampering and manipulation',
|
|
150
|
+
'Authentication mechanism compromise'
|
|
151
|
+
]
|
|
152
|
+
}
|
|
153
|
+
}));
|
|
154
|
+
}
|
|
155
|
+
// Check #4: Flask SECRET_KEY hardcoded
|
|
156
|
+
if ((lowerLine.includes('app.secret_key') || lowerLine.includes('app.config["secret_key"]')) &&
|
|
157
|
+
lowerLine.includes('=') && (trimmedLine.includes("'") || trimmedLine.includes('"')) &&
|
|
158
|
+
!lowerLine.includes('os.environ') && !lowerLine.includes('getenv')) {
|
|
159
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
160
|
+
category: 'Security Misconfiguration',
|
|
161
|
+
severity: 'CRITICAL',
|
|
162
|
+
confidence: 'HIGH',
|
|
163
|
+
message: 'Flask SECRET_KEY hardcoded in source code',
|
|
164
|
+
line: index + 1,
|
|
165
|
+
suggestion: 'Use environment variables to store SECRET_KEY securely',
|
|
166
|
+
owasp: 'A02:2025',
|
|
167
|
+
cwe: 'CWE-798',
|
|
168
|
+
pciDss: 'Requirement 3.4',
|
|
169
|
+
remediation: {
|
|
170
|
+
explanation: 'Hardcoded SECRET_KEY compromises session security in Flask applications',
|
|
171
|
+
before: 'app.secret_key = "hardcoded-secret"',
|
|
172
|
+
after: 'app.secret_key = os.environ.get("SECRET_KEY")'
|
|
173
|
+
},
|
|
174
|
+
attackVector: {
|
|
175
|
+
description: 'SECRET_KEY exposure enables session manipulation and security bypass',
|
|
176
|
+
realWorldImpact: [
|
|
177
|
+
'Session data tampering',
|
|
178
|
+
'Flash message manipulation',
|
|
179
|
+
'CSRF protection bypass',
|
|
180
|
+
'Authentication state forgery'
|
|
181
|
+
]
|
|
182
|
+
}
|
|
183
|
+
}));
|
|
184
|
+
}
|
|
185
|
+
// Check #5: Default Django settings not changed
|
|
186
|
+
if (lowerLine.includes('allowed_hosts') && lowerLine.includes('=') &&
|
|
187
|
+
(lowerLine.includes('[]') || lowerLine.includes('["*"]') || lowerLine.includes("['*']"))) {
|
|
188
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
189
|
+
category: 'Security Misconfiguration',
|
|
190
|
+
severity: 'MEDIUM',
|
|
191
|
+
confidence: 'HIGH',
|
|
192
|
+
message: 'Django ALLOWED_HOSTS misconfigured or allows all hosts',
|
|
193
|
+
line: index + 1,
|
|
194
|
+
suggestion: 'Configure ALLOWED_HOSTS with specific domain names for production',
|
|
195
|
+
owasp: 'A02:2025',
|
|
196
|
+
cwe: 'CWE-346',
|
|
197
|
+
pciDss: 'Requirement 6.1',
|
|
198
|
+
remediation: {
|
|
199
|
+
explanation: 'Unrestricted ALLOWED_HOSTS enables Host Header attacks',
|
|
200
|
+
before: 'ALLOWED_HOSTS = ["*"]',
|
|
201
|
+
after: 'ALLOWED_HOSTS = ["yourdomain.com", "www.yourdomain.com"]'
|
|
202
|
+
},
|
|
203
|
+
attackVector: {
|
|
204
|
+
description: 'Host header manipulation can lead to password reset poisoning and cache poisoning',
|
|
205
|
+
realWorldImpact: [
|
|
206
|
+
'Password reset link hijacking',
|
|
207
|
+
'Cache poisoning attacks',
|
|
208
|
+
'DNS rebinding attacks',
|
|
209
|
+
'HTTP Host header attacks'
|
|
210
|
+
]
|
|
211
|
+
}
|
|
212
|
+
}));
|
|
213
|
+
}
|
|
214
|
+
// Check #6: AWS credentials in source code
|
|
215
|
+
// Don't flag if using environment variables (proper pattern: os.getenv, os.environ)
|
|
216
|
+
if ((lowerLine.includes('aws_access_key_id') || lowerLine.includes('aws_secret_access_key')) &&
|
|
217
|
+
lowerLine.includes('=') && (trimmedLine.includes("'") || trimmedLine.includes('"')) &&
|
|
218
|
+
!lowerLine.includes('os.getenv') && !lowerLine.includes('os.environ') &&
|
|
219
|
+
!lowerLine.includes('getenv')) {
|
|
220
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
221
|
+
category: 'hardcoded-aws-credentials',
|
|
222
|
+
severity: 'CRITICAL',
|
|
223
|
+
confidence: 'HIGH',
|
|
224
|
+
message: 'AWS credentials hardcoded in source code',
|
|
225
|
+
line: index + 1,
|
|
226
|
+
suggestion: 'Use AWS IAM roles, environment variables, or AWS credentials file',
|
|
227
|
+
owasp: 'A02:2025',
|
|
228
|
+
cwe: 'CWE-798',
|
|
229
|
+
pciDss: 'Requirement 3.4',
|
|
230
|
+
remediation: {
|
|
231
|
+
explanation: 'Hardcoded AWS credentials provide full access to cloud resources',
|
|
232
|
+
before: 'aws_access_key_id = "AKIA1234567890"',
|
|
233
|
+
after: 'aws_access_key_id = os.environ.get("AWS_ACCESS_KEY_ID")'
|
|
234
|
+
},
|
|
235
|
+
attackVector: {
|
|
236
|
+
description: 'AWS credential exposure enables complete cloud infrastructure compromise',
|
|
237
|
+
realWorldImpact: [
|
|
238
|
+
'Complete AWS account takeover',
|
|
239
|
+
'Data exfiltration from S3 buckets',
|
|
240
|
+
'EC2 instance compromise',
|
|
241
|
+
'Unauthorized resource provisioning and billing'
|
|
242
|
+
]
|
|
243
|
+
}
|
|
244
|
+
}));
|
|
245
|
+
}
|
|
246
|
+
// Check #7: Database credentials exposed
|
|
247
|
+
if ((lowerLine.includes('database') || lowerLine.includes('db_password') ||
|
|
248
|
+
lowerLine.includes('db_user') || lowerLine.includes('connection_string')) &&
|
|
249
|
+
lowerLine.includes('=') && (trimmedLine.includes("'") || trimmedLine.includes('"')) &&
|
|
250
|
+
!lowerLine.includes('os.environ') && !lowerLine.includes('getenv')) {
|
|
251
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
252
|
+
category: 'hardcoded-database-credentials',
|
|
253
|
+
severity: 'CRITICAL',
|
|
254
|
+
confidence: 'MEDIUM',
|
|
255
|
+
message: 'Database credentials may be hardcoded in source code',
|
|
256
|
+
line: index + 1,
|
|
257
|
+
suggestion: 'Use environment variables or secure configuration files for database credentials',
|
|
258
|
+
owasp: 'A02:2025',
|
|
259
|
+
cwe: 'CWE-798',
|
|
260
|
+
pciDss: 'Requirement 3.4',
|
|
261
|
+
remediation: {
|
|
262
|
+
explanation: 'Hardcoded database credentials expose sensitive data access',
|
|
263
|
+
before: 'DB_PASSWORD = "secretpassword123"',
|
|
264
|
+
after: 'DB_PASSWORD = os.environ.get("DB_PASSWORD")'
|
|
265
|
+
},
|
|
266
|
+
attackVector: {
|
|
267
|
+
description: 'Database credential exposure enables unauthorized data access',
|
|
268
|
+
realWorldImpact: [
|
|
269
|
+
'Complete database access and data theft',
|
|
270
|
+
'Customer data exposure (PII, financial)',
|
|
271
|
+
'Data manipulation and deletion',
|
|
272
|
+
'Compliance violations (GDPR, HIPAA)'
|
|
273
|
+
]
|
|
274
|
+
}
|
|
275
|
+
}));
|
|
276
|
+
}
|
|
277
|
+
// Check #8A: Traceback usage (standalone - may expose sensitive information)
|
|
278
|
+
if ((lowerLine.includes('traceback.print_exc') ||
|
|
279
|
+
lowerLine.includes('traceback.format_exc')) &&
|
|
280
|
+
!trimmedLine.startsWith('#')) {
|
|
281
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
282
|
+
category: 'python-exception-traceback',
|
|
283
|
+
severity: 'MEDIUM',
|
|
284
|
+
confidence: 'MEDIUM',
|
|
285
|
+
message: 'Detailed error information may be exposed to users',
|
|
286
|
+
line: index + 1,
|
|
287
|
+
suggestion: 'Use logging.exception() for server-side logs instead of traceback output',
|
|
288
|
+
owasp: 'A10:2025',
|
|
289
|
+
cwe: 'CWE-209',
|
|
290
|
+
pciDss: 'Requirement 6.5.5',
|
|
291
|
+
remediation: {
|
|
292
|
+
explanation: 'Traceback output reveals internal application structure and file paths',
|
|
293
|
+
before: 'traceback.print_exc()',
|
|
294
|
+
after: 'logging.exception("Error occurred") # Server-side only'
|
|
295
|
+
},
|
|
296
|
+
attackVector: {
|
|
297
|
+
description: 'Traceback exposure reveals file paths and internal logic',
|
|
298
|
+
realWorldImpact: [
|
|
299
|
+
'Internal file path disclosure',
|
|
300
|
+
'Application architecture fingerprinting',
|
|
301
|
+
'Stack trace information leakage'
|
|
302
|
+
]
|
|
303
|
+
}
|
|
304
|
+
}));
|
|
305
|
+
}
|
|
306
|
+
// Check #8B: exc_info=True usage (may expose detailed error information)
|
|
307
|
+
if (lowerLine.includes('exc_info') &&
|
|
308
|
+
(lowerLine.includes('true') || lowerLine.includes('1')) &&
|
|
309
|
+
!trimmedLine.startsWith('#')) {
|
|
310
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
311
|
+
category: 'python-exception-traceback',
|
|
312
|
+
severity: 'MEDIUM',
|
|
313
|
+
confidence: 'MEDIUM',
|
|
314
|
+
message: 'Detailed error information may be exposed to users',
|
|
315
|
+
line: index + 1,
|
|
316
|
+
suggestion: 'Ensure exc_info logs are server-side only and not exposed to users',
|
|
317
|
+
owasp: 'A10:2025',
|
|
318
|
+
cwe: 'CWE-209',
|
|
319
|
+
pciDss: 'Requirement 6.5.5',
|
|
320
|
+
remediation: {
|
|
321
|
+
explanation: 'exc_info=True includes full stack traces in logs which may be exposed',
|
|
322
|
+
before: 'logger.exception("error", exc_info=True)',
|
|
323
|
+
after: 'logging.exception("error") # Includes traceback by default, server-side only'
|
|
324
|
+
},
|
|
325
|
+
attackVector: {
|
|
326
|
+
description: 'Exception info exposure reveals internal errors and stack traces',
|
|
327
|
+
realWorldImpact: [
|
|
328
|
+
'Stack trace disclosure',
|
|
329
|
+
'Internal error message exposure',
|
|
330
|
+
'Debug information leakage'
|
|
331
|
+
]
|
|
332
|
+
}
|
|
333
|
+
}));
|
|
334
|
+
}
|
|
335
|
+
// Check #8: Detailed error responses in production
|
|
336
|
+
// Only flag if detailed errors are exposed in HTTP responses, not standalone logging
|
|
337
|
+
const hasDetailedError = (lowerLine.includes('traceback') || lowerLine.includes('exc_info')) &&
|
|
338
|
+
(lowerLine.includes('true') || lowerLine.includes('1'));
|
|
339
|
+
const isHttpResponse = lowerLine.includes('return') ||
|
|
340
|
+
lowerLine.includes('jsonify') ||
|
|
341
|
+
lowerLine.includes('render_template') ||
|
|
342
|
+
lowerLine.includes('httpresponse');
|
|
343
|
+
// Standalone logging is fine (logging.error(..., exc_info=True))
|
|
344
|
+
// Only flag if errors are exposed in HTTP responses
|
|
345
|
+
if (hasDetailedError && isHttpResponse) {
|
|
346
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)({
|
|
347
|
+
category: 'Security Misconfiguration',
|
|
348
|
+
severity: 'MEDIUM',
|
|
349
|
+
confidence: 'MEDIUM',
|
|
350
|
+
message: 'Detailed error information may be exposed to users',
|
|
351
|
+
line: index + 1,
|
|
352
|
+
suggestion: 'Log detailed errors server-side, return generic messages to users',
|
|
353
|
+
owasp: 'A02:2025',
|
|
354
|
+
cwe: 'CWE-209',
|
|
355
|
+
pciDss: 'Requirement 6.1',
|
|
356
|
+
remediation: {
|
|
357
|
+
explanation: 'Detailed error messages reveal internal application structure',
|
|
358
|
+
before: 'return jsonify({"error": traceback.format_exc()})',
|
|
359
|
+
after: 'logging.exception("Internal error occurred"); return jsonify({"error": "Internal server error"})'
|
|
360
|
+
},
|
|
361
|
+
attackVector: {
|
|
362
|
+
description: 'Error messages can reveal file paths, database schemas, and internal logic',
|
|
363
|
+
realWorldImpact: [
|
|
364
|
+
'Internal file path disclosure',
|
|
365
|
+
'Database schema revelation',
|
|
366
|
+
'Third-party library version exposure',
|
|
367
|
+
'Application architecture fingerprinting'
|
|
368
|
+
]
|
|
369
|
+
}
|
|
370
|
+
}));
|
|
371
|
+
}
|
|
372
|
+
});
|
|
373
|
+
return vulnerabilities;
|
|
374
|
+
}
|
|
375
|
+
//# sourceMappingURL=security-misconfiguration.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"security-misconfiguration.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/security-misconfiguration.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAqBH,sEAiYC;AAnZD,sEAAiF;AAEjF;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,6BAA6B,CAC3C,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,kFAAkF;QAClF,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC7G,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,sCAAsC;QACtC,oFAAoF;QACpF,gGAAgG;QAChG,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YACpF,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;YACrE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC9B,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,CAAE,4BAA4B;YAClG,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,yCAAyC;gBAClD,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,+DAA+D;gBAC3E,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,kGAAkG;oBAC/G,MAAM,EAAE,cAAc;oBACtB,KAAK,EAAE,uDAAuD;iBAC/D;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,iEAAiE;oBAC9E,eAAe,EAAE;wBACf,wCAAwC;wBACxC,+CAA+C;wBAC/C,+CAA+C;wBAC/C,iDAAiD;qBAClD;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,qCAAqC;QACrC,2DAA2D;QAC3D,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC1F,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;YACrE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,wCAAwC;gBACjD,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,2CAA2C;gBACvD,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,8EAA8E;oBAC3F,MAAM,EAAE,qBAAqB;oBAC7B,KAAK,EAAE,oEAAoE;iBAC5E;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,iFAAiF;oBAC9F,eAAe,EAAE;wBACf,wCAAwC;wBACxC,sCAAsC;wBACtC,qCAAqC;wBACrC,gCAAgC;qBACjC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,qGAAqG;QACrG,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC3D,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACxD,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAClE,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YAC/E,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,4CAA4C;gBACrD,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,wDAAwD;gBACpE,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,uEAAuE;oBACpF,MAAM,EAAE,8CAA8C;oBACtD,KAAK,EAAE,2CAA2C;iBACnD;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,8DAA8D;oBAC3E,eAAe,EAAE;wBACf,+BAA+B;wBAC/B,kCAAkC;wBAClC,mCAAmC;wBACnC,qCAAqC;qBACtC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CAAC;YACxF,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACnF,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,2CAA2C;gBACpD,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,wDAAwD;gBACpE,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,yEAAyE;oBACtF,MAAM,EAAE,qCAAqC;oBAC7C,KAAK,EAAE,+CAA+C;iBACvD;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,sEAAsE;oBACnF,eAAe,EAAE;wBACf,wBAAwB;wBACxB,4BAA4B;wBAC5B,wBAAwB;wBACxB,8BAA8B;qBAC/B;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,gDAAgD;QAChD,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAC9D,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAC7F,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,wDAAwD;gBACjE,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,mEAAmE;gBAC/E,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,wDAAwD;oBACrE,MAAM,EAAE,uBAAuB;oBAC/B,KAAK,EAAE,0DAA0D;iBAClE;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,mFAAmF;oBAChG,eAAe,EAAE;wBACf,+BAA+B;wBAC/B,yBAAyB;wBACzB,uBAAuB;wBACvB,0BAA0B;qBAC3B;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,2CAA2C;QAC3C,oFAAoF;QACpF,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,uBAAuB,CAAC,CAAC;YACxF,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACnF,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;YACrE,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,0CAA0C;gBACnD,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,mEAAmE;gBAC/E,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,kEAAkE;oBAC/E,MAAM,EAAE,sCAAsC;oBAC9C,KAAK,EAAE,yDAAyD;iBACjE;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,0EAA0E;oBACvF,eAAe,EAAE;wBACf,+BAA+B;wBAC/B,mCAAmC;wBACnC,yBAAyB;wBACzB,gDAAgD;qBACjD;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;YACnE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;YAC1E,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACnF,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,gCAAgC;gBAC1C,QAAQ,EAAE,UAAU;gBACpB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,sDAAsD;gBAC/D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,kFAAkF;gBAC9F,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,6DAA6D;oBAC1E,MAAM,EAAE,mCAAmC;oBAC3C,KAAK,EAAE,6CAA6C;iBACrD;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,+DAA+D;oBAC5E,eAAe,EAAE;wBACf,yCAAyC;wBACzC,yCAAyC;wBACzC,gCAAgC;wBAChC,qCAAqC;qBACtC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,6EAA6E;QAC7E,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,qBAAqB,CAAC;YACzC,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;YAC5C,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,4BAA4B;gBACtC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,oDAAoD;gBAC7D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,0EAA0E;gBACtF,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,mBAAmB;gBAC3B,WAAW,EAAE;oBACX,WAAW,EAAE,wEAAwE;oBACrF,MAAM,EAAE,uBAAuB;oBAC/B,KAAK,EAAE,yDAAyD;iBACjE;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,0DAA0D;oBACvE,eAAe,EAAE;wBACf,+BAA+B;wBAC/B,yCAAyC;wBACzC,iCAAiC;qBAClC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,yEAAyE;QACzE,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC9B,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACvD,CAAC,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,4BAA4B;gBACtC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,oDAAoD;gBAC7D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,oEAAoE;gBAChF,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,mBAAmB;gBAC3B,WAAW,EAAE;oBACX,WAAW,EAAE,uEAAuE;oBACpF,MAAM,EAAE,0CAA0C;oBAClD,KAAK,EAAE,+EAA+E;iBACvF;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,kEAAkE;oBAC/E,eAAe,EAAE;wBACf,wBAAwB;wBACxB,iCAAiC;wBACjC,2BAA2B;qBAC5B;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,qFAAqF;QACrF,MAAM,gBAAgB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACnE,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;QACjF,MAAM,cAAc,GAAG,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5B,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC7B,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC;YACrC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;QAE1D,iEAAiE;QACjE,oDAAoD;QACpD,IAAI,gBAAgB,IAAI,cAAc,EAAE,CAAC;YACvC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAAC;gBAChC,QAAQ,EAAE,2BAA2B;gBACrC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,oDAAoD;gBAC7D,IAAI,EAAE,KAAK,GAAG,CAAC;gBACf,UAAU,EAAE,mEAAmE;gBAC/E,KAAK,EAAE,UAAU;gBACjB,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,iBAAiB;gBACzB,WAAW,EAAE;oBACX,WAAW,EAAE,+DAA+D;oBAC5E,MAAM,EAAE,mDAAmD;oBAC3D,KAAK,EAAE,kGAAkG;iBAC1G;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,4EAA4E;oBACzF,eAAe,EAAE;wBACf,+BAA+B;wBAC/B,4BAA4B;wBAC5B,sCAAsC;wBACtC,yCAAyC;qBAC1C;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Python SSRF (Server-Side Request Forgery) Security Checks
|
|
3
|
+
* OWASP A10:2021 - Server-Side Request Forgery (CWE-918)
|
|
4
|
+
*
|
|
5
|
+
* Detects SSRF vulnerabilities where user input controls URLs in HTTP requests,
|
|
6
|
+
* allowing attackers to access internal services, cloud metadata, or arbitrary hosts.
|
|
7
|
+
*
|
|
8
|
+
* Created: 2025-12-18 (Phase 0 - Priority 0 Critical Gap)
|
|
9
|
+
*/
|
|
10
|
+
import { SecurityVulnerability } from '../../types';
|
|
11
|
+
/**
|
|
12
|
+
* Checks for SSRF vulnerabilities in Python code
|
|
13
|
+
*
|
|
14
|
+
* Covers:
|
|
15
|
+
* - Check #40: requests library with user-controlled URLs (CRITICAL)
|
|
16
|
+
* - Check #41: urllib with user-controlled URLs (CRITICAL)
|
|
17
|
+
* - Check #42: httplib/http.client with user input (HIGH)
|
|
18
|
+
* - Check #43: No URL validation or whitelist (HIGH)
|
|
19
|
+
* - Check #44: Internal IP access without validation (CRITICAL)
|
|
20
|
+
*
|
|
21
|
+
* @param lines - Array of code lines
|
|
22
|
+
* @param userInputVariables - Map of variable names assigned from user input
|
|
23
|
+
* @returns Array of security vulnerabilities found
|
|
24
|
+
*/
|
|
25
|
+
export declare function checkSSRF(lines: string[], userInputVariables: Map<string, number>): SecurityVulnerability[];
|
|
26
|
+
//# sourceMappingURL=ssrf-detection.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ssrf-detection.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/ssrf-detection.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,SAAS,CACvB,KAAK,EAAE,MAAM,EAAE,EACf,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACtC,qBAAqB,EAAE,CA2NzB"}
|
|
@@ -0,0 +1,160 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Python SSRF (Server-Side Request Forgery) Security Checks
|
|
4
|
+
* OWASP A10:2021 - Server-Side Request Forgery (CWE-918)
|
|
5
|
+
*
|
|
6
|
+
* Detects SSRF vulnerabilities where user input controls URLs in HTTP requests,
|
|
7
|
+
* allowing attackers to access internal services, cloud metadata, or arbitrary hosts.
|
|
8
|
+
*
|
|
9
|
+
* Created: 2025-12-18 (Phase 0 - Priority 0 Critical Gap)
|
|
10
|
+
*/
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.checkSSRF = checkSSRF;
|
|
13
|
+
const createVulnerability_1 = require("../utils/createVulnerability");
|
|
14
|
+
/**
|
|
15
|
+
* Checks for SSRF vulnerabilities in Python code
|
|
16
|
+
*
|
|
17
|
+
* Covers:
|
|
18
|
+
* - Check #40: requests library with user-controlled URLs (CRITICAL)
|
|
19
|
+
* - Check #41: urllib with user-controlled URLs (CRITICAL)
|
|
20
|
+
* - Check #42: httplib/http.client with user input (HIGH)
|
|
21
|
+
* - Check #43: No URL validation or whitelist (HIGH)
|
|
22
|
+
* - Check #44: Internal IP access without validation (CRITICAL)
|
|
23
|
+
*
|
|
24
|
+
* @param lines - Array of code lines
|
|
25
|
+
* @param userInputVariables - Map of variable names assigned from user input
|
|
26
|
+
* @returns Array of security vulnerabilities found
|
|
27
|
+
*/
|
|
28
|
+
function checkSSRF(lines, userInputVariables) {
|
|
29
|
+
const vulnerabilities = [];
|
|
30
|
+
let inMultiLineComment = false;
|
|
31
|
+
// Track URL variables that come from user input
|
|
32
|
+
const urlVariablesFromInput = new Map(); // variable name -> line number
|
|
33
|
+
lines.forEach((line, index) => {
|
|
34
|
+
const lineNumber = index + 1;
|
|
35
|
+
const trimmed = line.trim();
|
|
36
|
+
// CRITICAL: Track Python triple-quote comment blocks (""" ... """ or ''' ... ''')
|
|
37
|
+
const hasTripleQuote = trimmed.includes('"""') || trimmed.includes("'''");
|
|
38
|
+
if (hasTripleQuote) {
|
|
39
|
+
if (!inMultiLineComment) {
|
|
40
|
+
inMultiLineComment = true;
|
|
41
|
+
const tripleQuoteCount = (trimmed.match(/"""/g) || []).length + (trimmed.match(/'''/g) || []).length;
|
|
42
|
+
if (tripleQuoteCount >= 2) {
|
|
43
|
+
inMultiLineComment = false;
|
|
44
|
+
}
|
|
45
|
+
return;
|
|
46
|
+
}
|
|
47
|
+
else {
|
|
48
|
+
inMultiLineComment = false;
|
|
49
|
+
return;
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
// CRITICAL: Skip all lines inside multi-line comments and single-line comments
|
|
53
|
+
if (!trimmed || inMultiLineComment || trimmed.startsWith('#')) {
|
|
54
|
+
return;
|
|
55
|
+
}
|
|
56
|
+
// Track URL variables from user input
|
|
57
|
+
// Pattern: url = request.args.get('url') or url = request.form['url']
|
|
58
|
+
const urlAssignMatch = trimmed.match(/^(\w*url\w*)\s*=\s*request\.(args|form|data|json|values|params|get_json|cookies)/i);
|
|
59
|
+
if (urlAssignMatch) {
|
|
60
|
+
const varName = urlAssignMatch[1];
|
|
61
|
+
urlVariablesFromInput.set(varName, lineNumber);
|
|
62
|
+
}
|
|
63
|
+
// =============================================================================
|
|
64
|
+
// CHECK #40: requests Library with User-Controlled URLs (CRITICAL)
|
|
65
|
+
// =============================================================================
|
|
66
|
+
// Pattern: requests.get(url) where url is from user input
|
|
67
|
+
const requestsMatch = trimmed.match(/requests\.(get|post|put|delete|patch|head|options|request)\s*\(\s*([^)]+)\s*\)/);
|
|
68
|
+
if (requestsMatch) {
|
|
69
|
+
const httpMethod = requestsMatch[1];
|
|
70
|
+
const urlArg = requestsMatch[2].split(',')[0].trim(); // First argument is URL
|
|
71
|
+
// Check if URL is a user input variable
|
|
72
|
+
if (userInputVariables.has(urlArg) || urlVariablesFromInput.has(urlArg)) {
|
|
73
|
+
const userInputLine = userInputVariables.get(urlArg) || urlVariablesFromInput.get(urlArg);
|
|
74
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('ssrf', `SSRF: requests.${httpMethod}() with user-controlled URL '${urlArg}' (line ${userInputLine})`, 'Validate URL against allowlist, block private IPs (127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16)', lineNumber, `Server-Side Request Forgery allows attackers to make the server send HTTP requests to arbitrary URLs. This can access internal services (databases, admin panels), cloud metadata endpoints (AWS EC2: 169.254.169.254), or perform port scanning. Variable '${urlArg}' was assigned from user input on line ${userInputLine}.`, `# Line ${userInputLine}:\nurl = request.args.get('url') # User controls: "http://169.254.169.254/latest/meta-data/"\n# Line ${lineNumber}:\nresponse = requests.${httpMethod}(url) # Fetches AWS credentials!`, [
|
|
75
|
+
'Access to internal services (databases, Redis, admin panels)',
|
|
76
|
+
'Cloud metadata theft (AWS/Azure/GCP credentials)',
|
|
77
|
+
'Port scanning of internal network',
|
|
78
|
+
'Bypass of firewall restrictions',
|
|
79
|
+
'Reading local files via file:// protocol',
|
|
80
|
+
'Denial of Service (target external services)'
|
|
81
|
+
], `url = request.args.get('url')\nresponse = requests.${httpMethod}(url) # Vulnerable to SSRF`, `import re\nimport ipaddress\nfrom urllib.parse import urlparse\n\nurl = request.args.get('url')\n\n# Validate URL scheme (only allow http/https)\nparsed = urlparse(url)\nif parsed.scheme not in ['http', 'https']:\n raise ValueError("Invalid URL scheme")\n\n# Block private IP addresses\nhostname = parsed.hostname\ntry:\n ip = ipaddress.ip_address(hostname)\n if ip.is_private or ip.is_loopback or ip.is_link_local:\n raise ValueError("Private IP addresses not allowed")\nexcept ValueError:\n pass # Hostname, not IP\n\n# Whitelist allowed domains\nallowed_domains = ['api.example.com', 'trusted.com']\nif parsed.hostname not in allowed_domains:\n raise ValueError(f"Domain {parsed.hostname} not in allowlist")\n\nresponse = requests.${httpMethod}(url, timeout=5) # Safe with validation`, 'Always validate URLs against an allowlist of allowed domains. Block private IP ranges (127.0.0.0/8, 10.0.0.0/8, 192.168.0.0/16, 169.254.0.0/16). Only allow http/https schemes. Set timeouts to prevent hanging.'));
|
|
82
|
+
}
|
|
83
|
+
// Check for direct request.args.get() in URL parameter
|
|
84
|
+
if (urlArg.includes('request.args') || urlArg.includes('request.form') ||
|
|
85
|
+
urlArg.includes('request.json') || urlArg.includes('request.data')) {
|
|
86
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('ssrf', `SSRF: requests.${httpMethod}() with direct user input from request`, 'Extract URL to variable and validate against allowlist', lineNumber, 'Passing user input directly to HTTP request functions allows Server-Side Request Forgery attacks. Attackers can access internal services, cloud metadata endpoints, or arbitrary external URLs.', `response = requests.${httpMethod}(request.args.get('url')) # Direct SSRF`, [
|
|
87
|
+
'Access to internal services',
|
|
88
|
+
'Cloud metadata theft',
|
|
89
|
+
'Port scanning',
|
|
90
|
+
'Firewall bypass',
|
|
91
|
+
'Local file reading (file:// protocol)'
|
|
92
|
+
], `response = requests.${httpMethod}(request.args.get('url'))`, `url = request.args.get('url')\n\n# Validate URL\nallowed_domains = ['api.example.com']\nparsed = urlparse(url)\nif parsed.hostname not in allowed_domains:\n raise ValueError("Invalid domain")\n\nresponse = requests.${httpMethod}(url, timeout=5)`, 'Always validate URLs before making HTTP requests. Use domain allowlists and block private IP ranges.'));
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
// =============================================================================
|
|
96
|
+
// CHECK #41: urllib with User-Controlled URLs (CRITICAL)
|
|
97
|
+
// =============================================================================
|
|
98
|
+
// Pattern: urllib.request.urlopen(url) where url is from user input
|
|
99
|
+
const urllibMatch = trimmed.match(/urllib\.request\.urlopen\s*\(\s*([^)]+)\s*\)/);
|
|
100
|
+
if (urllibMatch) {
|
|
101
|
+
const urlArg = urllibMatch[1].trim();
|
|
102
|
+
// Check if URL is a user input variable
|
|
103
|
+
if (userInputVariables.has(urlArg) || urlVariablesFromInput.has(urlArg)) {
|
|
104
|
+
const userInputLine = userInputVariables.get(urlArg) || urlVariablesFromInput.get(urlArg);
|
|
105
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('ssrf', `SSRF: urllib.request.urlopen() with user-controlled URL '${urlArg}' (line ${userInputLine})`, 'Validate URL against allowlist, block private IPs', lineNumber, `urllib.request.urlopen() with user-controlled URLs allows Server-Side Request Forgery. Attackers can access internal services, cloud metadata, or arbitrary external resources. Variable '${urlArg}' was assigned from user input on line ${userInputLine}.`, `url = request.args.get('url')\nresponse = urllib.request.urlopen(url) # Can access http://169.254.169.254/`, [
|
|
106
|
+
'Internal service access',
|
|
107
|
+
'Cloud metadata theft (AWS/Azure/GCP)',
|
|
108
|
+
'Port scanning',
|
|
109
|
+
'File protocol abuse (file:///etc/passwd)',
|
|
110
|
+
'Firewall bypass'
|
|
111
|
+
], `import urllib.request\nurl = request.args.get('url')\nresponse = urllib.request.urlopen(url)`, `import urllib.request\nfrom urllib.parse import urlparse\nimport ipaddress\n\nurl = request.args.get('url')\n\n# Validate URL\nparsed = urlparse(url)\nif parsed.scheme not in ['http', 'https']:\n raise ValueError("Invalid scheme")\n\n# Block private IPs\nhostname = parsed.hostname\ntry:\n ip = ipaddress.ip_address(hostname)\n if ip.is_private or ip.is_loopback:\n raise ValueError("Private IPs not allowed")\nexcept ValueError:\n pass\n\nresponse = urllib.request.urlopen(url, timeout=5)`, 'Validate URLs with allowlists, block private IP ranges, only allow http/https schemes, set timeouts'));
|
|
112
|
+
}
|
|
113
|
+
// Check for direct request input
|
|
114
|
+
if (urlArg.includes('request.')) {
|
|
115
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('ssrf', 'SSRF: urllib.request.urlopen() with direct user input', 'Validate URL before making request', lineNumber, 'Direct use of user input in urllib.request.urlopen() enables SSRF attacks', 'urllib.request.urlopen(request.args.get("url")) # Direct SSRF', [
|
|
116
|
+
'Internal service access',
|
|
117
|
+
'Cloud metadata theft',
|
|
118
|
+
'Port scanning',
|
|
119
|
+
'File protocol abuse'
|
|
120
|
+
], `urllib.request.urlopen(request.args.get('url'))`, `url = request.args.get('url')\n# Validate URL against allowlist\nif not is_allowed_url(url):\n raise ValueError("Invalid URL")\nurllib.request.urlopen(url, timeout=5)`, 'Always validate URLs before using urllib.request.urlopen()'));
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
// =============================================================================
|
|
124
|
+
// CHECK #42: httplib/http.client with User Input (HIGH)
|
|
125
|
+
// =============================================================================
|
|
126
|
+
// Pattern: httplib.HTTPConnection(host) where host is from user input
|
|
127
|
+
const httplibMatch = trimmed.match(/(httplib|http\.client)\.(HTTPConnection|HTTPSConnection)\s*\(\s*([^)]+)\s*\)/);
|
|
128
|
+
if (httplibMatch) {
|
|
129
|
+
const hostArg = httplibMatch[3].trim();
|
|
130
|
+
if (userInputVariables.has(hostArg)) {
|
|
131
|
+
const userInputLine = userInputVariables.get(hostArg);
|
|
132
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('ssrf', `SSRF: HTTP connection with user-controlled host '${hostArg}' (line ${userInputLine})`, 'Validate host against allowlist', lineNumber, `Creating HTTP connections with user-controlled hostnames enables SSRF attacks. Variable '${hostArg}' was assigned from user input on line ${userInputLine}.`, `host = request.args.get('host')\nconn = httplib.HTTPConnection(host) # Can connect to internal services`, [
|
|
133
|
+
'Internal network scanning',
|
|
134
|
+
'Access to internal services',
|
|
135
|
+
'Cloud metadata access',
|
|
136
|
+
'Port enumeration'
|
|
137
|
+
], `host = request.args.get('host')\nconn = httplib.HTTPConnection(host)`, `host = request.args.get('host')\n\n# Validate against allowlist\nallowed_hosts = ['api.example.com']\nif host not in allowed_hosts:\n raise ValueError("Host not allowed")\n\nconn = httplib.HTTPConnection(host, timeout=5)`, 'Validate hostnames against allowlists before creating HTTP connections'));
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
// =============================================================================
|
|
141
|
+
// CHECK #43: URL Construction with User Input (HIGH)
|
|
142
|
+
// =============================================================================
|
|
143
|
+
// Pattern: url = "http://api.com/" + user_input (path traversal in URLs)
|
|
144
|
+
if (trimmed.match(/url\w*\s*=.*["']https?:\/\//) &&
|
|
145
|
+
(trimmed.includes('+') || trimmed.includes('f"') || trimmed.includes("f'"))) {
|
|
146
|
+
// Check if line contains user input variables
|
|
147
|
+
const hasUserInput = Array.from(userInputVariables.keys()).some(varName => trimmed.includes(varName));
|
|
148
|
+
if (hasUserInput) {
|
|
149
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('ssrf', 'SSRF: URL constructed with user input via string concatenation', 'Validate input, use URL parsing libraries to prevent manipulation', lineNumber, 'Constructing URLs by concatenating user input can lead to SSRF if attackers inject special characters or path traversal sequences to change the target host.', 'url = f"http://api.internal.com/{user_path}" # user_path = "../../../169.254.169.254/meta-data/"', [
|
|
150
|
+
'URL manipulation to internal services',
|
|
151
|
+
'Path traversal in URLs',
|
|
152
|
+
'Host header injection',
|
|
153
|
+
'Access to unintended endpoints'
|
|
154
|
+
], `url = f"http://api.internal.com/{user_path}"\nresponse = requests.get(url)`, `from urllib.parse import urljoin, urlparse\n\nbase_url = "http://api.internal.com/"\nuser_path = request.args.get('path')\n\n# Build URL safely\nurl = urljoin(base_url, user_path)\n\n# Validate final URL is still on same host\nparsed = urlparse(url)\nif parsed.hostname != 'api.internal.com':\n raise ValueError("URL manipulation detected")\n\nresponse = requests.get(url, timeout=5)`, 'Use urllib.parse.urljoin() for safe URL construction. Validate final URL hostname matches expected domain.'));
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
});
|
|
158
|
+
return vulnerabilities;
|
|
159
|
+
}
|
|
160
|
+
//# sourceMappingURL=ssrf-detection.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ssrf-detection.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/ssrf-detection.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAmBH,8BA8NC;AA9OD,sEAAiF;AAEjF;;;;;;;;;;;;;GAaG;AACH,SAAgB,SAAS,CACvB,KAAe,EACf,kBAAuC;IAEvC,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,gDAAgD;IAChD,MAAM,qBAAqB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,+BAA+B;IAExF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,sCAAsC;QACtC,sEAAsE;QACtE,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,mFAAmF,CAAC,CAAC;QAC1H,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,OAAO,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YAClC,qBAAqB,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QACjD,CAAC;QAED,gFAAgF;QAChF,mEAAmE;QACnE,gFAAgF;QAChF,0DAA0D;QAE1D,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,gFAAgF,CAAC,CAAC;QACtH,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACpC,MAAM,MAAM,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,wBAAwB;YAE9E,wCAAwC;YACxC,IAAI,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACxE,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;gBAC3F,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,MAAM,EACN,kBAAkB,UAAU,gCAAgC,MAAM,WAAW,aAAa,GAAG,EAC7F,6FAA6F,EAC7F,UAAU,EACV,+PAA+P,MAAM,0CAA0C,aAAa,GAAG,EAC/T,UAAU,aAAa,yGAAyG,UAAU,0BAA0B,UAAU,mCAAmC,EACjN;oBACE,8DAA8D;oBAC9D,kDAAkD;oBAClD,mCAAmC;oBACnC,iCAAiC;oBACjC,0CAA0C;oBAC1C,8CAA8C;iBAC/C,EACD,sDAAsD,UAAU,6BAA6B,EAC7F,wvBAAwvB,UAAU,0CAA0C,EAC5yB,kNAAkN,CACnN,CAAC,CAAC;YACL,CAAC;YAED,uDAAuD;YACvD,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC;gBAClE,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;gBACvE,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,MAAM,EACN,kBAAkB,UAAU,wCAAwC,EACpE,wDAAwD,EACxD,UAAU,EACV,iMAAiM,EACjM,uBAAuB,UAAU,0CAA0C,EAC3E;oBACE,6BAA6B;oBAC7B,sBAAsB;oBACtB,eAAe;oBACf,iBAAiB;oBACjB,uCAAuC;iBACxC,EACD,uBAAuB,UAAU,2BAA2B,EAC5D,6NAA6N,UAAU,kBAAkB,EACzP,sGAAsG,CACvG,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,yDAAyD;QACzD,gFAAgF;QAChF,oEAAoE;QAEpE,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClF,IAAI,WAAW,EAAE,CAAC;YAChB,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAErC,wCAAwC;YACxC,IAAI,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBACxE,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,qBAAqB,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;gBAC3F,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,MAAM,EACN,4DAA4D,MAAM,WAAW,aAAa,GAAG,EAC7F,mDAAmD,EACnD,UAAU,EACV,6LAA6L,MAAM,0CAA0C,aAAa,GAAG,EAC7P,6GAA6G,EAC7G;oBACE,yBAAyB;oBACzB,sCAAsC;oBACtC,eAAe;oBACf,0CAA0C;oBAC1C,iBAAiB;iBAClB,EACD,8FAA8F,EAC9F,8fAA8f,EAC9f,qGAAqG,CACtG,CAAC,CAAC;YACL,CAAC;YAED,iCAAiC;YACjC,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAChC,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,MAAM,EACN,uDAAuD,EACvD,oCAAoC,EACpC,UAAU,EACV,2EAA2E,EAC3E,gEAAgE,EAChE;oBACE,yBAAyB;oBACzB,sBAAsB;oBACtB,eAAe;oBACf,qBAAqB;iBACtB,EACD,iDAAiD,EACjD,2KAA2K,EAC3K,4DAA4D,CAC7D,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,wDAAwD;QACxD,gFAAgF;QAChF,sEAAsE;QAEtE,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,8EAA8E,CAAC,CAAC;QACnH,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAEvC,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACpC,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;gBACvD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,MAAM,EACN,oDAAoD,OAAO,WAAW,aAAa,GAAG,EACtF,iCAAiC,EACjC,UAAU,EACV,4FAA4F,OAAO,0CAA0C,aAAa,GAAG,EAC7J,0GAA0G,EAC1G;oBACE,2BAA2B;oBAC3B,6BAA6B;oBAC7B,uBAAuB;oBACvB,kBAAkB;iBACnB,EACD,sEAAsE,EACtE,iOAAiO,EACjO,wEAAwE,CACzE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,qDAAqD;QACrD,gFAAgF;QAChF,yEAAyE;QAEzE,IAAI,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC;YAC5C,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAChF,8CAA8C;YAC9C,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACxE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAC1B,CAAC;YAEF,IAAI,YAAY,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,MAAM,EACN,gEAAgE,EAChE,mEAAmE,EACnE,UAAU,EACV,8JAA8J,EAC9J,mGAAmG,EACnG;oBACE,uCAAuC;oBACvC,wBAAwB;oBACxB,uBAAuB;oBACvB,gCAAgC;iBACjC,EACD,4EAA4E,EAC5E,oYAAoY,EACpY,4GAA4G,CAC7G,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|