codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js ADDED
@@ -0,0 +1,153 @@
1
+ "use strict";
2
+ /**
3
+ * TypeScript Credentials & Cryptography Security Checks
4
+ * OWASP A07:2021 - Authentication & Identification Failures
5
+ * OWASP A02:2021 - Cryptographic Failures
6
+ *
7
+ * Detects hardcoded credentials, weak cryptography, and insecure storage.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkCredentialsAndCrypto = checkCredentialsAndCrypto;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for credentials and cryptography vulnerabilities in TypeScript code
14
+ *
15
+ * Covers:
16
+ * - Check #8: Hardcoded credentials (CRITICAL)
17
+ * - Check #9: Math.random() for security (MEDIUM)
18
+ * - Check #10: localStorage for sensitive data (MEDIUM)
19
+ *
20
+ * @param lines - Array of code lines
21
+ * @returns Array of security vulnerabilities found
22
+ */
23
+ function checkCredentialsAndCrypto(lines) {
24
+ const vulnerabilities = [];
25
+ let inMultiLineComment = false;
26
+ lines.forEach((line, index) => {
27
+ const lineNumber = index + 1;
28
+ const trimmed = line.trim();
29
+ // Track multi-line comment blocks (/* ... */)
30
+ if (trimmed.includes('/*')) {
31
+ inMultiLineComment = true;
32
+ }
33
+ if (trimmed.includes('*/')) {
34
+ inMultiLineComment = false;
35
+ return;
36
+ }
37
+ // Skip comments and empty lines
38
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
39
+ return;
40
+ // OWASP A07:2021 - Authentication & Identification Failures
41
+ // 8. Hardcoded credentials - CRITICAL
42
+ // FIXED: Added [\w_-]* to match variable names like SECRET_KEY, API_TOKEN, etc.
43
+ if (trimmed.match(/(password|passwd|pwd|secret|token|api[-_]?key|private[-_]?key|auth)[\w_-]*\s*[:=]\s*['"]/i) &&
44
+ !trimmed.includes('process.env') && !trimmed.includes('config.')) {
45
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('hardcoded-credentials', 'CRITICAL: Hardcoded credentials in code', 'Use environment variables (process.env) or secret managers', lineNumber, 'Hardcoded credentials can be extracted from source code, version control history, or compiled bundles, granting unauthorized access to attackers.', 'const API_KEY = "sk-1234567890abcdef"; // Exposed in git history and production bundles', [
46
+ 'Unauthorized access to APIs and databases',
47
+ 'Data breaches',
48
+ 'Account takeover',
49
+ 'Compliance violations (PCI-DSS, SOC 2)'
50
+ ], 'const password = "MyP@ssw0rd123"; // NEVER hardcode!', 'const password = process.env.DB_PASSWORD; // Load from environment', 'Store credentials in environment variables or use secret management services (AWS Secrets Manager, HashiCorp Vault)'));
51
+ }
52
+ // OWASP A02:2021 - Cryptographic Failures
53
+ // 8b. Weak cryptographic hashing (MD5, SHA1) - HIGH
54
+ if (trimmed.match(/createHash\s*\(\s*['"`](md5|sha1|md4)['"`]\)/i)) {
55
+ const hashMatch = trimmed.match(/createHash\s*\(\s*['"`](md5|sha1|md4)['"`]\)/i);
56
+ const weakAlgorithm = hashMatch ? hashMatch[1].toUpperCase() : 'MD5/SHA1';
57
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('weak-hashing', `Weak cryptographic hashing algorithm: ${weakAlgorithm}`, 'Use SHA-256, SHA-384, or SHA-512 for cryptographic purposes', lineNumber, `${weakAlgorithm} is cryptographically broken and should not be used for security purposes. It's vulnerable to collision attacks where attackers can create two different inputs that produce the same hash.`, `crypto.createHash('md5').update(password).digest('hex'); // Vulnerable to collisions`, [
58
+ 'Password hash collisions',
59
+ 'Integrity verification bypass',
60
+ 'Digital signature forgery',
61
+ 'Rainbow table attacks',
62
+ 'Compliance violations (PCI-DSS, HIPAA)'
63
+ ], `const hash = crypto.createHash('md5').update(data).digest('hex');`, `import crypto from 'crypto';\nconst hash = crypto.createHash('sha256').update(data).digest('hex'); // Use SHA-256 or stronger`, `${weakAlgorithm} is deprecated and insecure. Use SHA-256 or stronger algorithms for password hashing, use bcrypt/argon2 for password storage`));
64
+ }
65
+ // 9. Math.random() for security - MEDIUM
66
+ if (trimmed.match(/Math\.random\(\)/)) {
67
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('weak-random', 'Math.random() is cryptographically weak', 'Use crypto.randomBytes() or crypto.getRandomValues()', lineNumber, 'Math.random() uses a predictable pseudo-random algorithm, allowing attackers to predict values for session tokens, passwords, or cryptographic keys.', 'const token = Math.random().toString(36); // Predictable, can be guessed', [
68
+ 'Session hijacking',
69
+ 'Predictable tokens and passwords',
70
+ 'Cryptographic key compromise',
71
+ 'CSRF token bypass'
72
+ ], 'const sessionId = Math.random().toString(36).substring(7);', 'import crypto from "crypto";\nconst sessionId = crypto.randomBytes(16).toString("hex");', 'Use Node.js crypto.randomBytes() or Web Crypto API crypto.getRandomValues() for cryptographically secure random values'));
73
+ }
74
+ // 10. localStorage for sensitive data - MEDIUM
75
+ if (trimmed.match(/localStorage\.(setItem|set)\([^)]*(?:token|password|key|secret)/i)) {
76
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('insecure-storage', 'localStorage is not safe for sensitive data', 'Use httpOnly cookies, temporary sessionStorage, or encrypted IndexedDB', lineNumber, 'localStorage is vulnerable to XSS attacks - any JavaScript code can read it. Sensitive data stored here can be stolen by attackers.', 'localStorage.setItem("authToken", token); // Accessible to any JavaScript code, including XSS payloads', [
77
+ 'Token theft via XSS attacks',
78
+ 'Session hijacking',
79
+ 'Credential theft',
80
+ 'Persistent access for attackers'
81
+ ], 'localStorage.setItem("token", authToken); // VULNERABLE to XSS', '// Server-side: Set httpOnly cookie\nres.cookie("token", authToken, { httpOnly: true, secure: true, sameSite: "strict" });', 'Use httpOnly cookies (not accessible to JavaScript) or encrypt data with Web Crypto API before storing'));
82
+ }
83
+ // =============================================================================
84
+ // PHASE B - Weak Encryption (AES-ECB) Detection (Dec 20, 2025)
85
+ // =============================================================================
86
+ // 12. Weak Encryption - AES-ECB Mode - HIGH
87
+ // Pattern: crypto.createCipher('aes-*-ecb') or createCipheriv with ECB mode
88
+ if (trimmed.includes('crypto.create') &&
89
+ (trimmed.includes('Cipher') || trimmed.includes('Decipher')) &&
90
+ (trimmed.includes('ecb') || trimmed.includes('ECB'))) {
91
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('weak-encryption-ecb', 'Weak encryption - AES-ECB mode does not hide data patterns', 'Use AES-GCM or AES-CBC mode with proper IV instead of ECB', lineNumber, 'Electronic Codebook (ECB) mode is insecure because identical plaintext blocks produce identical ciphertext blocks, revealing data patterns. This allows attackers to detect repeated data and perform pattern analysis attacks.', 'const cipher = crypto.createCipheriv(\'aes-256-ecb\', key, null); // Identical blocks = identical ciphertext', [
92
+ 'Data pattern disclosure',
93
+ 'Plaintext recovery through pattern analysis',
94
+ 'Cryptographic attacks (block rearrangement)',
95
+ 'Weak confidentiality protection'
96
+ ], 'crypto.createCipheriv(\'aes-256-ecb\', key, null)', 'const iv = crypto.randomBytes(16);\nconst cipher = crypto.createCipheriv(\'aes-256-gcm\', key, iv); // GCM provides authentication', 'Never use ECB mode. Use AES-GCM (authenticated encryption) or AES-CBC with random IV'));
97
+ }
98
+ // 13. Insecure crypto.createCipher (deprecated) - HIGH
99
+ // Pattern: crypto.createCipher (uses weak MD5 key derivation)
100
+ if (trimmed.includes('crypto.createCipher(') || trimmed.includes('crypto.createDecipher(')) {
101
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('deprecated-createcipher', 'Deprecated crypto.createCipher uses weak MD5 key derivation', 'Use crypto.createCipheriv with properly derived keys (PBKDF2/scrypt)', lineNumber, 'crypto.createCipher is deprecated because it uses weak MD5-based key derivation, making it vulnerable to brute force and rainbow table attacks. Modern standards require proper key derivation functions.', 'const cipher = crypto.createCipher(\'aes-256-cbc\', \'password\'); // Weak MD5 key derivation', [
102
+ 'Weak key derivation (MD5)',
103
+ 'Password brute force attacks',
104
+ 'Rainbow table attacks',
105
+ 'Insufficient protection against cryptanalysis'
106
+ ], 'crypto.createCipher(\'aes-256-cbc\', password)', 'const key = crypto.pbkdf2Sync(password, salt, 100000, 32, \'sha256\');\nconst iv = crypto.randomBytes(16);\nconst cipher = crypto.createCipheriv(\'aes-256-gcm\', key, iv);', 'Use createCipheriv with PBKDF2 or scrypt for key derivation, never createCipher'));
107
+ }
108
+ // =============================================================================
109
+ // PHASE B - Insecure TLS Configuration Detection (Dec 20, 2025)
110
+ // =============================================================================
111
+ // 14. Insecure TLS - rejectUnauthorized: false - HIGH
112
+ // Pattern: HTTPS/TLS with certificate validation disabled
113
+ if (trimmed.includes('rejectUnauthorized') && trimmed.includes('false')) {
114
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('insecure-tls-reject-unauthorized', 'TLS certificate validation disabled - vulnerable to man-in-the-middle attacks', 'Never set rejectUnauthorized: false in production - use proper certificates', lineNumber, 'Disabling certificate validation (rejectUnauthorized: false) allows man-in-the-middle attackers to intercept encrypted connections by presenting fake certificates. This defeats the entire purpose of TLS/HTTPS.', 'https.request({ hostname: \'api.example.com\', rejectUnauthorized: false }); // Attack: MITM intercepts traffic', [
115
+ 'Man-in-the-middle attacks',
116
+ 'Data interception and theft',
117
+ 'Credential theft',
118
+ 'Session hijacking',
119
+ 'Complete loss of confidentiality'
120
+ ], 'rejectUnauthorized: false', '// Use valid certificates instead of disabling validation\n// For development: Use self-signed certs with NODE_EXTRA_CA_CERTS\nconst options = { hostname: \'api.example.com\' }; // Default: rejectUnauthorized: true', 'Never disable certificate validation. Use proper CA-signed certificates or NODE_EXTRA_CA_CERTS for development'));
121
+ }
122
+ // 15. Insecure TLS - minVersion < TLS 1.2 - HIGH
123
+ // Pattern: TLS configurations with outdated protocol versions
124
+ // CRITICAL: Must NOT match TLSv1.2 or TLSv1.3 (secure versions)
125
+ const hasMinVersionOrProtocol = trimmed.includes('minVersion') || trimmed.includes('secureProtocol');
126
+ const hasInsecureTLS = (trimmed.includes('TLSv1.0') || trimmed.includes('TLSv1.1') ||
127
+ (trimmed.includes('TLSv1\'') && !trimmed.includes('TLSv1.')) ||
128
+ (trimmed.includes('TLSv1"') && !trimmed.includes('TLSv1.')) ||
129
+ trimmed.includes('SSLv') ||
130
+ trimmed.includes('TLS1_0') || trimmed.includes('TLS1_1'));
131
+ if (hasMinVersionOrProtocol && hasInsecureTLS) {
132
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('insecure-tls-version', 'Insecure TLS version - use TLS 1.2 or higher', 'Set minVersion to \'TLSv1.2\' or \'TLSv1.3\' to enforce secure protocols', lineNumber, 'TLS 1.0 and 1.1 are deprecated and vulnerable to attacks like BEAST, POODLE, and downgrade attacks. Modern standards require TLS 1.2 or higher for secure communications.', 'tls.createServer({ minVersion: \'TLSv1\' }); // Vulnerable to BEAST, POODLE attacks', [
133
+ 'Protocol downgrade attacks',
134
+ 'BEAST attack (TLS 1.0)',
135
+ 'POODLE attack (SSLv3)',
136
+ 'Weak cipher suite negotiation',
137
+ 'Man-in-the-middle attacks'
138
+ ], 'minVersion: \'TLSv1\'', 'const options = { minVersion: \'TLSv1.2\' }; // Or \'TLSv1.3\' for maximum security', 'Use TLS 1.2 or 1.3. TLS 1.0/1.1 and SSLv3 are deprecated and insecure'));
139
+ }
140
+ // 16. Insecure TLS - NODE_TLS_REJECT_UNAUTHORIZED=0 - HIGH
141
+ // Pattern: Environment variable disabling TLS validation
142
+ if (trimmed.includes('NODE_TLS_REJECT_UNAUTHORIZED') && trimmed.includes('0')) {
143
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('node-tls-reject-unauthorized', 'NODE_TLS_REJECT_UNAUTHORIZED=0 disables all TLS certificate validation', 'Remove NODE_TLS_REJECT_UNAUTHORIZED=0 - it disables certificate validation globally', lineNumber, 'Setting NODE_TLS_REJECT_UNAUTHORIZED=0 disables certificate validation for ALL HTTPS connections in the Node.js process, making every connection vulnerable to man-in-the-middle attacks.', 'process.env.NODE_TLS_REJECT_UNAUTHORIZED = \'0\'; // Disables ALL certificate validation', [
144
+ 'Global TLS validation bypass',
145
+ 'All HTTPS connections vulnerable to MITM',
146
+ 'Complete loss of transport security',
147
+ 'Credential and data theft'
148
+ ], 'NODE_TLS_REJECT_UNAUTHORIZED = \'0\'', '// Use proper certificates or NODE_EXTRA_CA_CERTS for custom CAs\n// NEVER disable validation globally', 'NEVER set NODE_TLS_REJECT_UNAUTHORIZED=0. Use NODE_EXTRA_CA_CERTS for custom CAs instead'));
149
+ }
150
+ });
151
+ return vulnerabilities;
152
+ }
153
+ //# sourceMappingURL=credentials-crypto.js.map
package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"credentials-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/credentials-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAgBH,8DAsPC;AAnQD,sEAAqF;AAErF;;;;;;;;;;GAUG;AACH,SAAgB,yBAAyB,CACvC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,4DAA4D;QAC5D,sCAAsC;QACtC,gFAAgF;QAChF,IAAI,OAAO,CAAC,KAAK,CAAC,2FAA2F,CAAC;YAC1G,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,uBAAuB,EACvB,yCAAyC,EACzC,4DAA4D,EAC5D,UAAU,EACV,mJAAmJ,EACnJ,yFAAyF,EACzF;gBACE,2CAA2C;gBAC3C,eAAe;gBACf,kBAAkB;gBAClB,wCAAwC;aACzC,EACD,sDAAsD,EACtD,oEAAoE,EACpE,qHAAqH,CACtH,CAAC,CAAC;QACL,CAAC;QAED,0CAA0C;QAC1C,oDAAoD;QACpD,IAAI,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,EAAE,CAAC;YACnE,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACjF,MAAM,aAAa,GAAG,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;YAE1E,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,cAAc,EACd,yCAAyC,aAAa,EAAE,EACxD,6DAA6D,EAC7D,UAAU,EACV,GAAG,aAAa,6LAA6L,EAC7M,sFAAsF,EACtF;gBACE,0BAA0B;gBAC1B,+BAA+B;gBAC/B,2BAA2B;gBAC3B,uBAAuB;gBACvB,wCAAwC;aACzC,EACD,mEAAmE,EACnE,+HAA+H,EAC/H,GAAG,aAAa,8HAA8H,CAC/I,CAAC,CAAC;QACL,CAAC;QAED,yCAAyC;QACzC,IAAI,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,aAAa,EACb,yCAAyC,EACzC,sDAAsD,EACtD,UAAU,EACV,sJAAsJ,EACtJ,0EAA0E,EAC1E;gBACE,mBAAmB;gBACnB,kCAAkC;gBAClC,8BAA8B;gBAC9B,mBAAmB;aACpB,EACD,4DAA4D,EAC5D,yFAAyF,EACzF,wHAAwH,CACzH,CAAC,CAAC;QACL,CAAC;QAED,+CAA+C;QAC/C,IAAI,OAAO,CAAC,KAAK,CAAC,kEAAkE,CAAC,EAAE,CAAC;YACtF,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,kBAAkB,EAClB,6CAA6C,EAC7C,wEAAwE,EACxE,UAAU,EACV,qIAAqI,EACrI,wGAAwG,EACxG;gBACE,6BAA6B;gBAC7B,mBAAmB;gBACnB,kBAAkB;gBAClB,iCAAiC;aAClC,EACD,gEAAgE,EAChE,4HAA4H,EAC5H,wGAAwG,CACzG,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,+DAA+D;QAC/D,gFAAgF;QAEhF,4CAA4C;QAC5C,4EAA4E;QAC5E,IAAI,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC;YACjC,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,qBAAqB,EACrB,4DAA4D,EAC5D,2DAA2D,EAC3D,UAAU,EACV,iOAAiO,EACjO,8GAA8G,EAC9G;gBACE,yBAAyB;gBACzB,6CAA6C;gBAC7C,6CAA6C;gBAC7C,iCAAiC;aAClC,EACD,mDAAmD,EACnD,oIAAoI,EACpI,sFAAsF,CACvF,CAAC,CAAC;QACL,CAAC;QAED,uDAAuD;QACvD,8DAA8D;QAC9D,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC,EAAE,CAAC;YAC3F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,yBAAyB,EACzB,6DAA6D,EAC7D,sEAAsE,EACtE,UAAU,EACV,2MAA2M,EAC3M,+FAA+F,EAC/F;gBACE,2BAA2B;gBAC3B,8BAA8B;gBAC9B,uBAAuB;gBACvB,+CAA+C;aAChD,EACD,gDAAgD,EAChD,6KAA6K,EAC7K,iFAAiF,CAClF,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,gEAAgE;QAChE,gFAAgF;QAEhF,sDAAsD;QACtD,0DAA0D;QAC1D,IAAI,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACxE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,kCAAkC,EAClC,+EAA+E,EAC/E,6EAA6E,EAC7E,UAAU,EACV,mNAAmN,EACnN,iHAAiH,EACjH;gBACE,2BAA2B;gBAC3B,6BAA6B;gBAC7B,kBAAkB;gBAClB,mBAAmB;gBACnB,kCAAkC;aACnC,EACD,2BAA2B,EAC3B,wNAAwN,EACxN,gHAAgH,CACjH,CAAC,CAAC;QACL,CAAC;QAED,iDAAiD;QACjD,8DAA8D;QAC9D,gEAAgE;QAChE,MAAM,uBAAuB,GAAG,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QACrG,MAAM,cAAc,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC1D,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YACxB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElF,IAAI,uBAAuB,IAAI,cAAc,EAAE,CAAC;YAC9C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,sBAAsB,EACtB,8CAA8C,EAC9C,0EAA0E,EAC1E,UAAU,EACV,2KAA2K,EAC3K,qFAAqF,EACrF;gBACE,4BAA4B;gBAC5B,wBAAwB;gBACxB,uBAAuB;gBACvB,+BAA+B;gBAC/B,2BAA2B;aAC5B,EACD,uBAAuB,EACvB,qFAAqF,EACrF,uEAAuE,CACxE,CAAC,CAAC;QACL,CAAC;QAED,2DAA2D;QAC3D,yDAAyD;QACzD,IAAI,OAAO,CAAC,QAAQ,CAAC,8BAA8B,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9E,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,8BAA8B,EAC9B,wEAAwE,EACxE,qFAAqF,EACrF,UAAU,EACV,2LAA2L,EAC3L,0FAA0F,EAC1F;gBACE,8BAA8B;gBAC9B,0CAA0C;gBAC1C,qCAAqC;gBACrC,2BAA2B;aAC5B,EACD,sCAAsC,EACtC,wGAAwG,EACxG,0FAA0F,CAC3F,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts ADDED
@@ -0,0 +1,23 @@
1
+ /**
2
+ * TypeScript Enhanced Supply Chain Security Checks
3
+ * OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
4
+ *
5
+ * Enhanced supply chain security checks building on existing dependency scanning.
6
+ * Focuses on runtime dependencies, package integrity, and malicious code patterns.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for enhanced supply chain security vulnerabilities in TypeScript code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Dynamic imports without integrity validation (HIGH)
14
+ * - Check #2: Runtime dependency loading (MEDIUM)
15
+ * - Check #3: Suspicious package patterns (HIGH)
16
+ * - Check #4: Unrestricted CDN usage (MEDIUM)
17
+ * - Check #5: Package typosquatting patterns (MEDIUM)
18
+ *
19
+ * @param lines - Array of code lines
20
+ * @returns Array of security vulnerabilities found
21
+ */
22
+ export declare function checkEnhancedSupplyChain(lines: string[]): SecurityVulnerability[];
23
+ //# sourceMappingURL=enhanced-supply-chain.d.ts.map
package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;GAYG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAyNzB"}
package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js ADDED
@@ -0,0 +1,146 @@
1
+ "use strict";
2
+ /**
3
+ * TypeScript Enhanced Supply Chain Security Checks
4
+ * OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
5
+ *
6
+ * Enhanced supply chain security checks building on existing dependency scanning.
7
+ * Focuses on runtime dependencies, package integrity, and malicious code patterns.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkEnhancedSupplyChain = checkEnhancedSupplyChain;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for enhanced supply chain security vulnerabilities in TypeScript code
14
+ *
15
+ * Covers:
16
+ * - Check #1: Dynamic imports without integrity validation (HIGH)
17
+ * - Check #2: Runtime dependency loading (MEDIUM)
18
+ * - Check #3: Suspicious package patterns (HIGH)
19
+ * - Check #4: Unrestricted CDN usage (MEDIUM)
20
+ * - Check #5: Package typosquatting patterns (MEDIUM)
21
+ *
22
+ * @param lines - Array of code lines
23
+ * @returns Array of security vulnerabilities found
24
+ */
25
+ function checkEnhancedSupplyChain(lines) {
26
+ const vulnerabilities = [];
27
+ let inMultiLineComment = false;
28
+ lines.forEach((line, index) => {
29
+ const trimmedLine = line.trim();
30
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
31
+ if (trimmedLine.includes('/*')) {
32
+ inMultiLineComment = true;
33
+ }
34
+ if (trimmedLine.includes('*/')) {
35
+ inMultiLineComment = false;
36
+ return; // Skip the line with */
37
+ }
38
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
39
+ if (!trimmedLine ||
40
+ inMultiLineComment ||
41
+ trimmedLine.startsWith('//') ||
42
+ trimmedLine.startsWith('*')) {
43
+ return;
44
+ }
45
+ const lowerLine = trimmedLine.toLowerCase();
46
+ // Check #1: Dynamic imports without integrity validation
47
+ if ((lowerLine.includes('import(') || lowerLine.includes('require(')) &&
48
+ (lowerLine.includes('http://') || lowerLine.includes('https://')) &&
49
+ !lowerLine.includes('integrity') && !lowerLine.includes('sha')) {
50
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('dynamic-import-no-integrity', 'Dynamic import from URL without integrity validation', 'Use subresource integrity or validate package hashes for remote imports', index + 1, 'Dynamic imports without integrity validation can load malicious code from compromised sources', 'import("https://cdn.example.com/lib.js") // no integrity check', [
51
+ 'Malicious code injection from compromised CDNs',
52
+ 'Supply chain attacks through modified packages',
53
+ 'Man-in-the-middle attacks on package loading',
54
+ 'Runtime code modification and backdoor installation'
55
+ ], 'import("https://cdn.example.com/lib.js")', 'import("https://cdn.example.com/lib.js").then(validateIntegrity)', 'Dynamic imports from remote sources should validate package integrity to prevent supply chain attacks'));
56
+ }
57
+ // Check #2: Runtime dependency loading with eval or Function
58
+ if ((lowerLine.includes('eval(') || lowerLine.includes('function(')) &&
59
+ (lowerLine.includes('require') || lowerLine.includes('import') ||
60
+ lowerLine.includes('fetch'))) {
61
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('runtime-dependency-loading', 'Runtime dependency loading using eval or Function constructor', 'Use static imports or validated dynamic imports instead of runtime code evaluation', index + 1, 'Runtime dependency loading can execute arbitrary code and enable supply chain attacks', 'eval(`import("${userInput}")`) // arbitrary package loading', [
62
+ 'Arbitrary package execution from user input',
63
+ 'Supply chain attacks through malicious packages',
64
+ 'Code injection via dependency names',
65
+ 'Bypass of static analysis and security tools'
66
+ ], 'eval(`import("${packageName}")`)', 'const allowedPackages = ["safe-pkg1"]; if (allowedPackages.includes(packageName)) { import(packageName) }', 'Runtime dependency loading bypasses security controls and enables arbitrary code execution'));
67
+ }
68
+ // Check #3: Suspicious package patterns (TypeScript specific typosquatting)
69
+ // FIXED: Exclude type-only imports (import type) - they're compile-time only, not runtime dependencies
70
+ const isTypeOnlyImport = lowerLine.startsWith('import type') || lowerLine.includes('import type {');
71
+ if (!isTypeOnlyImport &&
72
+ (lowerLine.includes('import ') || lowerLine.includes('from ')) &&
73
+ (lowerLine.includes('"@types/') || lowerLine.includes("'@types/")) &&
74
+ (lowerLine.includes('@types/reactt') || lowerLine.includes('@types/expresss') ||
75
+ lowerLine.includes('@types/nodee') || lowerLine.includes('@types/lodashh') ||
76
+ lowerLine.includes('@types/typescriptt'))) {
77
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('suspicious-types-package', 'Potentially typosquatted @types package detected', 'Verify @types package names against DefinitelyTyped official packages', index + 1, 'Malicious @types packages can inject code through TypeScript declaration files', 'import { Component } from "@types/reactt"; // should be "@types/react"', [
78
+ 'Type definition pollution and code injection',
79
+ 'Supply chain attacks through malicious type declarations',
80
+ 'Build-time code injection via declaration files',
81
+ 'Development environment compromise'
82
+ ], 'import type { Request } from "@types/expresss";', 'import type { Request } from "@types/express"; // verify correct @types package', 'Type definition packages should be verified against DefinitelyTyped to avoid malicious declarations'));
83
+ }
84
+ // Check #4: Unrestricted CDN usage in TypeScript projects
85
+ if ((lowerLine.includes('src=') || lowerLine.includes('href=')) &&
86
+ (lowerLine.includes('unpkg.com') || lowerLine.includes('jsdelivr.net') ||
87
+ lowerLine.includes('cdnjs.cloudflare.com')) &&
88
+ !lowerLine.includes('integrity=')) {
89
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('unrestricted-cdn-usage', 'CDN resource loaded without subresource integrity', 'Add integrity attribute with SHA hash for CDN resources', index + 1, 'CDN resources without integrity checks can be compromised and serve malicious content', '<script src="https://unpkg.com/typescript@latest/lib/typescript.js"></script>', [
90
+ 'CDN compromise serving malicious TypeScript runtime',
91
+ 'Supply chain attacks through modified CDN content',
92
+ 'Man-in-the-middle attacks on CDN requests',
93
+ 'Unauthorized code modification and injection'
94
+ ], 'src="https://unpkg.com/lib@1.0.0/dist/lib.js"', 'src="https://unpkg.com/lib@1.0.0/dist/lib.js" integrity="sha384-..."', 'CDN resources should use subresource integrity to prevent tampering'));
95
+ }
96
+ // Check #5: Package typosquatting patterns in npm commands
97
+ if ((lowerLine.includes('npm install') || lowerLine.includes('yarn add') ||
98
+ lowerLine.includes('pnpm add')) &&
99
+ (lowerLine.includes('typescriptt') || lowerLine.includes('typescript-') ||
100
+ lowerLine.includes('ts-nodee') || lowerLine.includes('tslint-') ||
101
+ lowerLine.includes('@typescript-eslint-') || lowerLine.includes('@types-'))) {
102
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('package-typosquatting-pattern', 'Package name follows TypeScript ecosystem typosquatting pattern', 'Verify official TypeScript ecosystem package names before installation', index + 1, 'Typosquatted TypeScript packages can compromise development and build processes', 'npm install typescriptt // should be "typescript"', [
103
+ 'Development environment compromise',
104
+ 'Build process injection and backdoors',
105
+ 'Supply chain attacks through fake TypeScript tools',
106
+ 'Source code theft and credential harvesting'
107
+ ], 'npm install typescriptt', 'npm install typescript // verify official TypeScript ecosystem packages', 'TypeScript ecosystem packages should be verified against official npm registry to avoid typosquatting'));
108
+ }
109
+ // Check #6: Dynamic require() with environment variables or expressions (NEW - Check #87)
110
+ // Pattern: require(process.env.VAR) or require(variable) or require(expr || "default")
111
+ // This is CRITICAL because it enables arbitrary module loading at startup
112
+ if (lowerLine.includes('require(') || lowerLine.includes('import(')) {
113
+ // Check if require/import argument is NOT a static string
114
+ // Match: require(variable), require(process.env.X), require(a || b), require(config.module)
115
+ // Don't match: require("static-string"), require('static-string')
116
+ const dynamicRequirePattern = /(?:require|import)\s*\(\s*(?!['"`])([^)]+)\)/i;
117
+ const match = trimmedLine.match(dynamicRequirePattern);
118
+ if (match) {
119
+ const argument = match[1].trim();
120
+ // Check if argument contains dynamic expressions
121
+ const isDynamic = (argument.includes('process.env') || // Environment variables
122
+ argument.includes('||') || // Fallback expressions
123
+ argument.includes('+') || // Concatenation
124
+ argument.includes('config.') || // Config object access
125
+ argument.includes('options.') || // Options object access
126
+ /^[a-zA-Z_$][a-zA-Z0-9_$]*$/.test(argument) // Variable name (not a string)
127
+ );
128
+ // Additional check: Exclude template literals that are commonly used for valid dynamic imports
129
+ // like import(`./locale/${lang}.js`) which are often used for code splitting
130
+ const isTemplateLiteral = trimmedLine.includes('`') && trimmedLine.includes('${');
131
+ if (isDynamic && !isTemplateLiteral) {
132
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('dynamic-require-env-var', 'Dynamic require() with environment variable enables arbitrary module loading', 'Use static imports only. Avoid dynamic require() with user-controlled input or environment variables.', index + 1, 'Dynamic require() with environment variables or user input allows an attacker to load ANY Node.js module, including built-in modules like child_process or fs, enabling arbitrary code execution on application startup.', 'const lib = require(process.env.REPORT_LIB || "report-helper"); // attacker sets REPORT_LIB="child_process" → attacker can execute system commands', [
133
+ 'Arbitrary module loading (child_process, fs, vm, etc.)',
134
+ 'Remote code execution on startup',
135
+ 'Complete system compromise',
136
+ 'Supply chain attacks through malicious module names',
137
+ 'Environment variable injection enables backdoors',
138
+ 'Bypass of dependency scanning and security tools'
139
+ ], 'const reportUtil = require(process.env.REPORT_LIB || "report-helper");', '// Use static imports with explicit allowed list\nconst ALLOWED_MODULES = { "report-helper": require("report-helper") };\nconst moduleName = process.env.REPORT_LIB || "report-helper";\nconst reportUtil = ALLOWED_MODULES[moduleName];', 'Replace dynamic require() with static imports. If dynamic loading is necessary, maintain an explicit allowlist of permitted modules and validate against it.'));
140
+ }
141
+ }
142
+ }
143
+ });
144
+ return vulnerabilities;
145
+ }
146
+ //# sourceMappingURL=enhanced-supply-chain.js.map
package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,4DA2NC;AA1OD,sEAAqF;AAErF;;;;;;;;;;;;GAYG;AACH,SAAgB,wBAAwB,CACtC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,yDAAyD;QACzD,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACjE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YACjE,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACnE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,sDAAsD,EACtD,yEAAyE,EACzE,KAAK,GAAG,CAAC,EACT,+FAA+F,EAC/F,gEAAgE,EAChE;gBACE,gDAAgD;gBAChD,gDAAgD;gBAChD,8CAA8C;gBAC9C,qDAAqD;aACtD,EACD,0CAA0C,EAC1C,kEAAkE,EAClE,uGAAuG,CACxG,CACF,CAAC;QACJ,CAAC;QAED,6DAA6D;QAC7D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAChE,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAClC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,4BAA4B,EAC5B,+DAA+D,EAC/D,oFAAoF,EACpF,KAAK,GAAG,CAAC,EACT,uFAAuF,EACvF,6DAA6D,EAC7D;gBACE,6CAA6C;gBAC7C,iDAAiD;gBACjD,qCAAqC;gBACrC,8CAA8C;aAC/C,EACD,kCAAkC,EAClC,2GAA2G,EAC3G,4FAA4F,CAC7F,CACF,CAAC;QACJ,CAAC;QAED,4EAA4E;QAC5E,uGAAuG;QACvG,MAAM,gBAAgB,GAAG,SAAS,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC;QAEpG,IAAI,CAAC,gBAAgB;YACjB,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC9D,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAClE,CAAC,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC;gBAC5E,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,gBAAgB,CAAC;gBAC1E,SAAS,CAAC,QAAQ,CAAC,oBAAoB,CAAC,CAAC,EAAE,CAAC;YAC/C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,kDAAkD,EAClD,uEAAuE,EACvE,KAAK,GAAG,CAAC,EACT,gFAAgF,EAChF,wEAAwE,EACxE;gBACE,8CAA8C;gBAC9C,0DAA0D;gBAC1D,iDAAiD;gBACjD,oCAAoC;aACrC,EACD,iDAAiD,EACjD,iFAAiF,EACjF,qGAAqG,CACtG,CACF,CAAC;QACJ,CAAC;QAED,0DAA0D;QAC1D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACrE,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC,CAAC;YAC5C,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACtC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,wBAAwB,EACxB,mDAAmD,EACnD,yDAAyD,EACzD,KAAK,GAAG,CAAC,EACT,uFAAuF,EACvF,+EAA+E,EAC/E;gBACE,qDAAqD;gBACrD,mDAAmD;gBACnD,2CAA2C;gBAC3C,8CAA8C;aAC/C,EACD,+CAA+C,EAC/C,sEAAsE,EACtE,qEAAqE,CACtE,CACF,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YACnE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAChC,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;gBACtE,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;gBAC/D,SAAS,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YACjF,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,+BAA+B,EAC/B,iEAAiE,EACjE,wEAAwE,EACxE,KAAK,GAAG,CAAC,EACT,iFAAiF,EACjF,mDAAmD,EACnD;gBACE,oCAAoC;gBACpC,uCAAuC;gBACvC,oDAAoD;gBACpD,6CAA6C;aAC9C,EACD,yBAAyB,EACzB,yEAAyE,EACzE,uGAAuG,CACxG,CACF,CAAC;QACJ,CAAC;QAED,0FAA0F;QAC1F,uFAAuF;QACvF,0EAA0E;QAC1E,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YACpE,0DAA0D;YAC1D,4FAA4F;YAC5F,kEAAkE;YAElE,MAAM,qBAAqB,GAAG,+CAA+C,CAAC;YAC9E,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;YAEvD,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEjC,iDAAiD;gBACjD,MAAM,SAAS,GAAG,CAChB,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAK,wBAAwB;oBAC7D,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAe,uBAAuB;oBAC7D,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAgB,gBAAgB;oBACtD,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAU,uBAAuB;oBAC7D,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAS,wBAAwB;oBAC9D,4BAA4B,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,+BAA+B;iBAC5E,CAAC;gBAEF,+FAA+F;gBAC/F,6EAA6E;gBAC7E,MAAM,iBAAiB,GAAG,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;gBAElF,IAAI,SAAS,IAAI,CAAC,iBAAiB,EAAE,CAAC;oBACpC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,yBAAyB,EACzB,8EAA8E,EAC9E,uGAAuG,EACvG,KAAK,GAAG,CAAC,EACT,0NAA0N,EAC1N,oJAAoJ,EACpJ;wBACE,wDAAwD;wBACxD,kCAAkC;wBAClC,4BAA4B;wBAC5B,qDAAqD;wBACrD,kDAAkD;wBAClD,kDAAkD;qBACnD,EACD,wEAAwE,EACxE,0OAA0O,EAC1O,8JAA8J,CAC/J,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts ADDED
@@ -0,0 +1,23 @@
1
+ /**
2
+ * TypeScript Exception Handling Security Checks
3
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
4
+ *
5
+ * Detects improper exception handling that can lead to security vulnerabilities.
6
+ * This is a completely NEW category in OWASP 2025.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for exception handling security vulnerabilities in TypeScript code
11
+ *
12
+ * Covers:
13
+ * - Check #1: Unhandled Promise rejections (MEDIUM)
14
+ * - Check #2: Empty catch blocks (MEDIUM)
15
+ * - Check #3: Error details exposed in responses (MEDIUM) - Phase 7B Day 9
16
+ * - Check #4: Missing error type checking (MEDIUM)
17
+ * - Check #5: Async functions without try-catch (MEDIUM) - Phase 7B Day 9
18
+ *
19
+ * @param lines - Array of code lines
20
+ * @returns Array of security vulnerabilities found
21
+ */
22
+ export declare function checkExceptionHandling(lines: string[]): SecurityVulnerability[];
23
+ //# sourceMappingURL=exception-handling.d.ts.map
package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"exception-handling.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/exception-handling.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;GAYG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAuQzB"}
package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js ADDED
@@ -0,0 +1,187 @@
1
+ "use strict";
2
+ /**
3
+ * TypeScript Exception Handling Security Checks
4
+ * OWASP A10:2025 - Mishandling of Exceptional Conditions
5
+ *
6
+ * Detects improper exception handling that can lead to security vulnerabilities.
7
+ * This is a completely NEW category in OWASP 2025.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkExceptionHandling = checkExceptionHandling;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for exception handling security vulnerabilities in TypeScript code
14
+ *
15
+ * Covers:
16
+ * - Check #1: Unhandled Promise rejections (MEDIUM)
17
+ * - Check #2: Empty catch blocks (MEDIUM)
18
+ * - Check #3: Error details exposed in responses (MEDIUM) - Phase 7B Day 9
19
+ * - Check #4: Missing error type checking (MEDIUM)
20
+ * - Check #5: Async functions without try-catch (MEDIUM) - Phase 7B Day 9
21
+ *
22
+ * @param lines - Array of code lines
23
+ * @returns Array of security vulnerabilities found
24
+ */
25
+ function checkExceptionHandling(lines) {
26
+ const vulnerabilities = [];
27
+ let inMultiLineComment = false;
28
+ lines.forEach((line, index) => {
29
+ const trimmedLine = line.trim();
30
+ // CRITICAL: Track multi-line comment blocks (/* ... */)
31
+ if (trimmedLine.includes('/*')) {
32
+ inMultiLineComment = true;
33
+ }
34
+ if (trimmedLine.includes('*/')) {
35
+ inMultiLineComment = false;
36
+ return; // Skip the line with */
37
+ }
38
+ // CRITICAL: Skip all lines inside multi-line comments and single-line comments
39
+ if (!trimmedLine ||
40
+ inMultiLineComment ||
41
+ trimmedLine.startsWith('//') ||
42
+ trimmedLine.startsWith('*')) {
43
+ return;
44
+ }
45
+ const lowerLine = trimmedLine.toLowerCase();
46
+ // Check #1: Unhandled Promise rejections
47
+ // FIXED: Exclude import statements (e.g., import mysql from "mysql2/promise")
48
+ const isImportStatement = lowerLine.startsWith('import ') || lowerLine.includes(' from ');
49
+ // FIXED: Exclude type annotations (e.g., Promise<User>, Promise<void>)
50
+ const isTypeAnnotation = lowerLine.includes('promise<') ||
51
+ lowerLine.match(/:\s*promise/i) ||
52
+ lowerLine.match(/function.*:\s*promise/i);
53
+ // Check if inside try-catch block (look back for try)
54
+ const insideTryBlock = lines.slice(Math.max(0, index - 10), index + 1).some(prevLine => prevLine.trim().toLowerCase() === 'try {' ||
55
+ prevLine.trim().toLowerCase().endsWith('try {'));
56
+ if (!isImportStatement &&
57
+ !isTypeAnnotation &&
58
+ !insideTryBlock &&
59
+ (lowerLine.includes('promise') || lowerLine.includes('.then(')) &&
60
+ !lowerLine.includes('.catch(') &&
61
+ !lines.slice(index, Math.min(index + 3, lines.length)).some(nextLine => nextLine.toLowerCase().includes('.catch('))) {
62
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('unhandled-promise-rejection', 'promise without catch handler may cause unhandled rejections', 'Add .catch() handler or use try-catch with async/await', index + 1, 'Unhandled promise rejections can crash Node.js applications and expose error details', 'fetch("/api/data").then(data => process(data)); // no error handling', [
63
+ 'Application crashes in Node.js environment',
64
+ 'Sensitive error information exposure',
65
+ 'Service unavailability and denial of service',
66
+ 'Memory leaks from unresolved promises'
67
+ ], 'fetch("/api/data").then(data => process(data));', 'fetch("/api/data").then(data => process(data)).catch(err => console.error("Request failed", err));', 'Unhandled promise rejections can crash applications and expose sensitive debugging information'));
68
+ }
69
+ // Check #2: Empty catch blocks
70
+ if (lowerLine.includes('catch') && lowerLine.includes('{')) {
71
+ // Check if catch block is truly empty (inline {} or no content before closing brace)
72
+ const isInlineCatch = lowerLine.includes('{}');
73
+ // Check if there's any non-empty, non-comment content between catch and closing brace
74
+ const nextLines = lines.slice(index + 1, Math.min(index + 10, lines.length));
75
+ let hasContent = false;
76
+ let foundClosingBrace = false;
77
+ for (const nextLine of nextLines) {
78
+ const trimmed = nextLine.trim();
79
+ // Found closing brace
80
+ if (trimmed === '}' || trimmed.startsWith('}')) {
81
+ foundClosingBrace = true;
82
+ break;
83
+ }
84
+ // Skip empty lines and comments
85
+ if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*')) {
86
+ continue;
87
+ }
88
+ // Found actual content
89
+ hasContent = true;
90
+ break;
91
+ }
92
+ // Only flag if truly empty (inline {} or no content before closing brace)
93
+ if (isInlineCatch || (foundClosingBrace && !hasContent)) {
94
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('empty-catch-block', 'Empty catch block silently ignores exceptions', 'Add proper error handling, logging, or re-throw the exception', index + 1, 'Silent exception suppression can hide security vulnerabilities and cause unpredictable application behavior', 'try { riskyOperation(); } catch (e) {} // error completely ignored', [
95
+ 'Security vulnerabilities hidden and undetected',
96
+ 'Application state corruption from ignored errors',
97
+ 'Type safety bypass through ignored errors',
98
+ 'Debugging difficulties and maintenance issues'
99
+ ], 'try { operation(); } catch (e) {}', 'try { operation(); } catch (e) { console.error("Operation failed", e); throw e; }', 'Empty catch blocks prevent error visibility and can hide security-critical failures'));
100
+ }
101
+ }
102
+ // Check #3: Error details exposed in responses (Phase 7B Day 9)
103
+ // Enhanced: Detect error exposure in single-line and multi-line response patterns
104
+ const hasResObject = lowerLine.match(/\bres\s*\./) || lowerLine.match(/\bres\s*\)/);
105
+ const hasResponseCall = lowerLine.includes('.json(') || lowerLine.includes('.send(');
106
+ const isResponseSend = hasResObject && hasResponseCall;
107
+ // Exclude fetch API response.json() - check if it's await response.json()
108
+ const isFetchResponse = lowerLine.includes('response.') && lowerLine.includes('.json(') &&
109
+ lowerLine.includes('await') && !lowerLine.includes('(err');
110
+ const hasErrorInResponse = isResponseSend || (hasResponseCall && !isFetchResponse && lowerLine.includes('response.') && lowerLine.includes('(err'));
111
+ // Also check if we're inside a res.json() or res.send() call (look back 5 lines)
112
+ const prevLines = lines.slice(Math.max(0, index - 5), index);
113
+ const hasResponseInPrevLines = prevLines.some(prevLine => {
114
+ const lower = prevLine.toLowerCase();
115
+ const hasRes = lower.match(/\bres\s*\./) || lower.match(/\bres\s*\)/);
116
+ const hasCall = lower.includes('.json(') || lower.includes('.send(');
117
+ const isFetch = lower.includes('await') && lower.includes('response.') && !lower.includes('(err');
118
+ return (hasRes || (lower.includes('response.') && lower.includes('(err'))) && hasCall && !isFetch;
119
+ });
120
+ const hasStackExposure = lowerLine.includes('.stack') ||
121
+ lowerLine.match(/stack\s*:\s*(err|error)\.stack/);
122
+ const hasMessageExposure = (lowerLine.includes('.message') &&
123
+ (lowerLine.includes('error') || lowerLine.includes('err')));
124
+ const hasToStringExposure = lowerLine.includes('.tostring()');
125
+ if ((hasErrorInResponse || hasResponseInPrevLines) &&
126
+ (hasStackExposure || hasMessageExposure || hasToStringExposure)) {
127
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('error-details-exposed', 'error object details may be exposed in API responses', 'Return generic error messages to clients, log detailed errors server-side', index + 1, 'Exposing error objects reveals sensitive internal application information including stack traces and file paths', 'res.json({ error: err.stack }); // exposes full stack trace to client', [
128
+ 'Internal application structure exposure',
129
+ 'File paths and directory structure revelation',
130
+ 'Database connection details disclosure',
131
+ 'Third-party service configuration exposure'
132
+ ], 'res.json({ error: error.message });', 'console.error("Request failed", error); res.status(500).json({ error: "Internal server error" });', 'Error objects contain sensitive debugging information that should not be exposed to clients'));
133
+ }
134
+ // Check #4: Missing error type checking in catch blocks
135
+ // FIXED: Only match traditional try-catch blocks, NOT .catch() promise handlers
136
+ // Traditional: "} catch (e) {" or "catch (error) {"
137
+ // Promise: ".catch(error => ..." or ".catch((error) => ..."
138
+ const isTraditionalCatchBlock = trimmedLine.match(/\}\s*catch\s*\(/) ||
139
+ trimmedLine.match(/^catch\s*\(/);
140
+ const isPromiseCatchHandler = trimmedLine.includes('.catch(');
141
+ if (isTraditionalCatchBlock && !isPromiseCatchHandler &&
142
+ !lowerLine.includes(': ') && !lowerLine.includes('instanceof') &&
143
+ !lines.slice(index + 1, Math.min(index + 5, lines.length)).some(nextLine => nextLine.toLowerCase().includes('instanceof') ||
144
+ nextLine.toLowerCase().includes('typeof'))) {
145
+ // Don't flag if catch block just logs the error (common acceptable pattern)
146
+ const nextLines = lines.slice(index + 1, Math.min(index + 5, lines.length));
147
+ const hasOnlyLogging = nextLines.some(nextLine => {
148
+ const lower = nextLine.toLowerCase();
149
+ return lower.includes('console.error') || lower.includes('logger.error') ||
150
+ lower.includes('console.warn') || lower.includes('logger.warn');
151
+ });
152
+ // Also don't flag if error is re-thrown
153
+ const hasRethrow = nextLines.some(nextLine => nextLine.toLowerCase().includes('throw'));
154
+ if (!hasOnlyLogging && !hasRethrow) {
155
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('missing-error-type-check', 'Catch block without error type checking may mishandle different error types', 'Add type checking to handle different error types appropriately', index + 1, 'Without error type checking, different types of errors may be handled inappropriately', 'catch (e) { console.log(e.message); } // assumes e has message property', [
156
+ 'Runtime errors from invalid property access',
157
+ 'Inappropriate error handling for security exceptions',
158
+ 'Loss of type safety in error handling paths',
159
+ 'Potential for error handling bypasses'
160
+ ], 'catch (e) { console.log(e.message); }', 'catch (e) { if (e instanceof Error) { console.log(e.message); } else { console.log("Unknown error"); } }', 'TypeScript catch blocks should check error types to maintain type safety'));
161
+ }
162
+ }
163
+ // Check #5: Async functions without try-catch (Phase 7B Day 9)
164
+ // Detect async function declarations and check for try-catch in body
165
+ const isAsyncFunction = lowerLine.match(/^(export\s+)?(async\s+function|const\s+\w+\s*=\s*async|function\s+\w+\s*=\s*async)/);
166
+ if (isAsyncFunction) {
167
+ // Look ahead in function body for await and try-catch
168
+ const functionBody = lines.slice(index + 1, Math.min(index + 20, lines.length));
169
+ const hasAwait = functionBody.some(line => line.toLowerCase().includes('await '));
170
+ const hasTryCatch = functionBody.some(line => {
171
+ const lower = line.toLowerCase().trim();
172
+ return lower === 'try {' || lower.endsWith('try {');
173
+ });
174
+ const hasCatchChain = functionBody.some(line => line.toLowerCase().includes('.catch('));
175
+ if (hasAwait && !hasTryCatch && !hasCatchChain) {
176
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('async-without-try-catch', 'async function without try-catch may cause unhandled exceptions', 'Wrap await calls in try-catch blocks for proper error handling', index + 1, 'Unhandled async exceptions can crash applications and expose sensitive error information', 'async function fetchUser() { await fetch(); } // no error handling', [
177
+ 'Application crashes from unhandled async exceptions',
178
+ 'Sensitive error information exposure',
179
+ 'Service unavailability from uncaught errors',
180
+ 'Resource cleanup failures in error scenarios'
181
+ ], 'async function fetchUser() { const data = await fetch(); }', 'async function fetchUser() { try { const data = await fetch(); } catch (error) { console.error(error); } }', 'Async functions should use try-catch to handle potential exceptions from await calls'));
182
+ }
183
+ }
184
+ });
185
+ return vulnerabilities;
186
+ }
187
+ //# sourceMappingURL=exception-handling.js.map
package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"exception-handling.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/exception-handling.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAkBH,wDAyQC;AAxRD,sEAAqF;AAErF;;;;;;;;;;;;GAYG;AACH,SAAgB,sBAAsB,CACpC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,wDAAwD;QACxD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,WAAW,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO,CAAC,wBAAwB;QAClC,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,IAAI,CAAC;YAC5B,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,yCAAyC;QACzC,8EAA8E;QAC9E,MAAM,iBAAiB,GAAG,SAAS,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE1F,uEAAuE;QACvE,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC9B,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC;YAC/B,SAAS,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAEnE,sDAAsD;QACtD,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACrF,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,OAAO;YACzC,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAChD,CAAC;QAEF,IAAI,CAAC,iBAAiB;YAClB,CAAC,gBAAgB;YACjB,CAAC,cAAc;YACf,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC/D,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC9B,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACrE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YAClD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,6BAA6B,EAC7B,8DAA8D,EAC9D,wDAAwD,EACxD,KAAK,GAAG,CAAC,EACT,sFAAsF,EACtF,sEAAsE,EACtE;gBACE,4CAA4C;gBAC5C,sCAAsC;gBACtC,8CAA8C;gBAC9C,uCAAuC;aACxC,EACD,iDAAiD,EACjD,oGAAoG,EACpG,gGAAgG,CACjG,CACF,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3D,qFAAqF;YACrF,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAE/C,sFAAsF;YACtF,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC7E,IAAI,UAAU,GAAG,KAAK,CAAC;YACvB,IAAI,iBAAiB,GAAG,KAAK,CAAC;YAE9B,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBACjC,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAEhC,sBAAsB;gBACtB,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,iBAAiB,GAAG,IAAI,CAAC;oBACzB,MAAM;gBACR,CAAC;gBAED,gCAAgC;gBAChC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;oBAChG,SAAS;gBACX,CAAC;gBAED,uBAAuB;gBACvB,UAAU,GAAG,IAAI,CAAC;gBAClB,MAAM;YACR,CAAC;YAED,0EAA0E;YAC1E,IAAI,aAAa,IAAI,CAAC,iBAAiB,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBACxD,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,mBAAmB,EACnB,+CAA+C,EAC/C,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,6GAA6G,EAC7G,oEAAoE,EACpE;oBACE,gDAAgD;oBAChD,kDAAkD;oBAClD,2CAA2C;oBAC3C,+CAA+C;iBAChD,EACD,mCAAmC,EACnC,mFAAmF,EACnF,qFAAqF,CACtF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,kFAAkF;QAClF,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACpF,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACrF,MAAM,cAAc,GAAG,YAAY,IAAI,eAAe,CAAC;QAEvD,0EAA0E;QAC1E,MAAM,eAAe,GAAG,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC/D,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAEnF,MAAM,kBAAkB,GAAG,cAAc,IAAI,CAAC,eAAe,IAAI,CAAC,eAAe,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAEpJ,iFAAiF;QACjF,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAC7D,MAAM,sBAAsB,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;YACvD,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YACtE,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACrE,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAClG,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC;QACpG,CAAC,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC5B,SAAS,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAE3E,MAAM,kBAAkB,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAC9B,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAExF,MAAM,mBAAmB,GAAG,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAE9D,IAAI,CAAC,kBAAkB,IAAI,sBAAsB,CAAC;YAC9C,CAAC,gBAAgB,IAAI,kBAAkB,IAAI,mBAAmB,CAAC,EAAE,CAAC;YACpE,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,uBAAuB,EACvB,sDAAsD,EACtD,2EAA2E,EAC3E,KAAK,GAAG,CAAC,EACT,iHAAiH,EACjH,uEAAuE,EACvE;gBACE,yCAAyC;gBACzC,+CAA+C;gBAC/C,wCAAwC;gBACxC,4CAA4C;aAC7C,EACD,qCAAqC,EACrC,mGAAmG,EACnG,6FAA6F,CAC9F,CACF,CAAC;QACJ,CAAC;QAED,wDAAwD;QACxD,gFAAgF;QAChF,oDAAoD;QACpD,4DAA4D;QAC5D,MAAM,uBAAuB,GAAG,WAAW,CAAC,KAAK,CAAC,iBAAiB,CAAC;YACpC,WAAW,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACjE,MAAM,qBAAqB,GAAG,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAE9D,IAAI,uBAAuB,IAAI,CAAC,qBAAqB;YACjD,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC9D,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACzE,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,YAAY,CAAC;gBAC7C,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;YAEjD,4EAA4E;YAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAC5E,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE;gBAC/C,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACrC,OAAO,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC;oBACjE,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACzE,CAAC,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAExF,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,EAAE,CAAC;gBACnC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,0BAA0B,EAC1B,6EAA6E,EAC7E,iEAAiE,EACjE,KAAK,GAAG,CAAC,EACT,uFAAuF,EACvF,yEAAyE,EACzE;oBACE,6CAA6C;oBAC7C,sDAAsD;oBACtD,6CAA6C;oBAC7C,uCAAuC;iBACxC,EACD,uCAAuC,EACvC,0GAA0G,EAC1G,0EAA0E,CAC3E,CACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,qEAAqE;QACrE,MAAM,eAAe,GAAG,SAAS,CAAC,KAAK,CAAC,oFAAoF,CAAC,CAAC;QAE9H,IAAI,eAAe,EAAE,CAAC;YACpB,sDAAsD;YACtD,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAChF,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAClF,MAAM,WAAW,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC3C,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;gBACxC,OAAO,KAAK,KAAK,OAAO,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACtD,CAAC,CAAC,CAAC;YACH,MAAM,aAAa,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC;YAExF,IAAI,QAAQ,IAAI,CAAC,WAAW,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC/C,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EACnC,yBAAyB,EACzB,iEAAiE,EACjE,gEAAgE,EAChE,KAAK,GAAG,CAAC,EACT,0FAA0F,EAC1F,oEAAoE,EACpE;oBACE,qDAAqD;oBACrD,sCAAsC;oBACtC,6CAA6C;oBAC7C,8CAA8C;iBAC/C,EACD,4DAA4D,EAC5D,4GAA4G,EAC5G,sFAAsF,CACvF,CACF,CAAC;YACJ,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}