codeslick-cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (455) hide show
  1. package/README.md +458 -0
  2. package/__tests__/cli-reporter.test.ts +86 -0
  3. package/__tests__/config-loader.test.ts +247 -0
  4. package/__tests__/local-scanner.test.ts +245 -0
  5. package/bin/codeslick.cjs +153 -0
  6. package/dist/packages/cli/src/commands/auth.d.ts +36 -0
  7. package/dist/packages/cli/src/commands/auth.d.ts.map +1 -0
  8. package/dist/packages/cli/src/commands/auth.js +226 -0
  9. package/dist/packages/cli/src/commands/auth.js.map +1 -0
  10. package/dist/packages/cli/src/commands/config.d.ts +37 -0
  11. package/dist/packages/cli/src/commands/config.d.ts.map +1 -0
  12. package/dist/packages/cli/src/commands/config.js +196 -0
  13. package/dist/packages/cli/src/commands/config.js.map +1 -0
  14. package/dist/packages/cli/src/commands/init.d.ts +32 -0
  15. package/dist/packages/cli/src/commands/init.d.ts.map +1 -0
  16. package/dist/packages/cli/src/commands/init.js +171 -0
  17. package/dist/packages/cli/src/commands/init.js.map +1 -0
  18. package/dist/packages/cli/src/commands/scan.d.ts +40 -0
  19. package/dist/packages/cli/src/commands/scan.d.ts.map +1 -0
  20. package/dist/packages/cli/src/commands/scan.js +204 -0
  21. package/dist/packages/cli/src/commands/scan.js.map +1 -0
  22. package/dist/packages/cli/src/config/config-loader.d.ts +67 -0
  23. package/dist/packages/cli/src/config/config-loader.d.ts.map +1 -0
  24. package/dist/packages/cli/src/config/config-loader.js +146 -0
  25. package/dist/packages/cli/src/config/config-loader.js.map +1 -0
  26. package/dist/packages/cli/src/reporters/cli-reporter.d.ts +69 -0
  27. package/dist/packages/cli/src/reporters/cli-reporter.d.ts.map +1 -0
  28. package/dist/packages/cli/src/reporters/cli-reporter.js +244 -0
  29. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -0
  30. package/dist/packages/cli/src/scanner/local-scanner.d.ts +92 -0
  31. package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -0
  32. package/dist/packages/cli/src/scanner/local-scanner.js +221 -0
  33. package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -0
  34. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +88 -0
  35. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -0
  36. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +371 -0
  37. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -0
  38. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts +63 -0
  39. package/dist/src/lib/analyzers/helpers/jsx-helpers.d.ts.map +1 -0
  40. package/dist/src/lib/analyzers/helpers/jsx-helpers.js +95 -0
  41. package/dist/src/lib/analyzers/helpers/jsx-helpers.js.map +1 -0
  42. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts +59 -0
  43. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -0
  44. package/dist/src/lib/analyzers/helpers/variable-tracker.js +231 -0
  45. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -0
  46. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts +20 -0
  47. package/dist/src/lib/analyzers/java/security-checks/access-control.d.ts.map +1 -0
  48. package/dist/src/lib/analyzers/java/security-checks/access-control.js +129 -0
  49. package/dist/src/lib/analyzers/java/security-checks/access-control.js.map +1 -0
  50. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +25 -0
  51. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -0
  52. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +221 -0
  53. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -0
  54. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts +18 -0
  55. package/dist/src/lib/analyzers/java/security-checks/code-quality.d.ts.map +1 -0
  56. package/dist/src/lib/analyzers/java/security-checks/code-quality.js +84 -0
  57. package/dist/src/lib/analyzers/java/security-checks/code-quality.js.map +1 -0
  58. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts +18 -0
  59. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.d.ts.map +1 -0
  60. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js +161 -0
  61. package/dist/src/lib/analyzers/java/security-checks/crypto-validation.js.map +1 -0
  62. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts +20 -0
  63. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.d.ts.map +1 -0
  64. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js +163 -0
  65. package/dist/src/lib/analyzers/java/security-checks/deserialization-xxe.js.map +1 -0
  66. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +24 -0
  67. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  68. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +178 -0
  69. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -0
  70. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts +25 -0
  71. package/dist/src/lib/analyzers/java/security-checks/exception-handling.d.ts.map +1 -0
  72. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js +179 -0
  73. package/dist/src/lib/analyzers/java/security-checks/exception-handling.js.map +1 -0
  74. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts +17 -0
  75. package/dist/src/lib/analyzers/java/security-checks/file-operations.d.ts.map +1 -0
  76. package/dist/src/lib/analyzers/java/security-checks/file-operations.js +67 -0
  77. package/dist/src/lib/analyzers/java/security-checks/file-operations.js.map +1 -0
  78. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts +25 -0
  79. package/dist/src/lib/analyzers/java/security-checks/framework-security.d.ts.map +1 -0
  80. package/dist/src/lib/analyzers/java/security-checks/framework-security.js +396 -0
  81. package/dist/src/lib/analyzers/java/security-checks/framework-security.js.map +1 -0
  82. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts +20 -0
  83. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.d.ts.map +1 -0
  84. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js +123 -0
  85. package/dist/src/lib/analyzers/java/security-checks/hardcoded-credentials.js.map +1 -0
  86. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +23 -0
  87. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -0
  88. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +201 -0
  89. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -0
  90. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts +20 -0
  91. package/dist/src/lib/analyzers/java/security-checks/insecure-design.d.ts.map +1 -0
  92. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js +121 -0
  93. package/dist/src/lib/analyzers/java/security-checks/insecure-design.js.map +1 -0
  94. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts +20 -0
  95. package/dist/src/lib/analyzers/java/security-checks/logging-failures.d.ts.map +1 -0
  96. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js +89 -0
  97. package/dist/src/lib/analyzers/java/security-checks/logging-failures.js.map +1 -0
  98. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts +26 -0
  99. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.d.ts.map +1 -0
  100. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js +309 -0
  101. package/dist/src/lib/analyzers/java/security-checks/security-misconfiguration.js.map +1 -0
  102. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts +18 -0
  103. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.d.ts.map +1 -0
  104. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js +114 -0
  105. package/dist/src/lib/analyzers/java/security-checks/unsafe-patterns.js.map +1 -0
  106. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts +58 -0
  107. package/dist/src/lib/analyzers/java/utils/createVulnerability.d.ts.map +1 -0
  108. package/dist/src/lib/analyzers/java/utils/createVulnerability.js +71 -0
  109. package/dist/src/lib/analyzers/java/utils/createVulnerability.js.map +1 -0
  110. package/dist/src/lib/analyzers/java-analyzer.d.ts +209 -0
  111. package/dist/src/lib/analyzers/java-analyzer.d.ts.map +1 -0
  112. package/dist/src/lib/analyzers/java-analyzer.js +1720 -0
  113. package/dist/src/lib/analyzers/java-analyzer.js.map +1 -0
  114. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts +27 -0
  115. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.d.ts.map +1 -0
  116. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js +123 -0
  117. package/dist/src/lib/analyzers/javascript/quality-checks/ai-hallucinations.js.map +1 -0
  118. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts +44 -0
  119. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.d.ts.map +1 -0
  120. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js +224 -0
  121. package/dist/src/lib/analyzers/javascript/quality-checks/async-patterns.js.map +1 -0
  122. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts +50 -0
  123. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.d.ts.map +1 -0
  124. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js +284 -0
  125. package/dist/src/lib/analyzers/javascript/quality-checks/code-patterns.js.map +1 -0
  126. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts +27 -0
  127. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.d.ts.map +1 -0
  128. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js +86 -0
  129. package/dist/src/lib/analyzers/javascript/quality-checks/comparison-issues.js.map +1 -0
  130. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts +32 -0
  131. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.d.ts.map +1 -0
  132. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js +44 -0
  133. package/dist/src/lib/analyzers/javascript/quality-checks/reference-errors.js.map +1 -0
  134. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts +22 -0
  135. package/dist/src/lib/analyzers/javascript/security-checks/access-control.d.ts.map +1 -0
  136. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js +168 -0
  137. package/dist/src/lib/analyzers/javascript/security-checks/access-control.js.map +1 -0
  138. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +25 -0
  139. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -0
  140. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +232 -0
  141. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -0
  142. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts +27 -0
  143. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.d.ts.map +1 -0
  144. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js +222 -0
  145. package/dist/src/lib/analyzers/javascript/security-checks/authentication-failures.js.map +1 -0
  146. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts +28 -0
  147. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.d.ts.map +1 -0
  148. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js +176 -0
  149. package/dist/src/lib/analyzers/javascript/security-checks/credential-crypto.js.map +1 -0
  150. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +23 -0
  151. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  152. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +113 -0
  153. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -0
  154. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts +28 -0
  155. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.d.ts.map +1 -0
  156. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js +227 -0
  157. package/dist/src/lib/analyzers/javascript/security-checks/exception-handling.js.map +1 -0
  158. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts +32 -0
  159. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.d.ts.map +1 -0
  160. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js +260 -0
  161. package/dist/src/lib/analyzers/javascript/security-checks/injection-attacks.js.map +1 -0
  162. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts +26 -0
  163. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.d.ts.map +1 -0
  164. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js +164 -0
  165. package/dist/src/lib/analyzers/javascript/security-checks/insecure-design.js.map +1 -0
  166. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts +26 -0
  167. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.d.ts.map +1 -0
  168. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js +775 -0
  169. package/dist/src/lib/analyzers/javascript/security-checks/security-misconfiguration.js.map +1 -0
  170. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts +25 -0
  171. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.d.ts.map +1 -0
  172. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js +168 -0
  173. package/dist/src/lib/analyzers/javascript/security-checks/software-integrity.js.map +1 -0
  174. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts +27 -0
  175. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.d.ts.map +1 -0
  176. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js +108 -0
  177. package/dist/src/lib/analyzers/javascript/security-checks/storage-security.js.map +1 -0
  178. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts +28 -0
  179. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.d.ts.map +1 -0
  180. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js +143 -0
  181. package/dist/src/lib/analyzers/javascript/security-checks/xss-dom-security.js.map +1 -0
  182. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts +53 -0
  183. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.d.ts.map +1 -0
  184. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js +144 -0
  185. package/dist/src/lib/analyzers/javascript/syntax/syntax-helpers.js.map +1 -0
  186. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts +72 -0
  187. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.d.ts.map +1 -0
  188. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js +314 -0
  189. package/dist/src/lib/analyzers/javascript/syntax/typescript-syntax.js.map +1 -0
  190. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts +58 -0
  191. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.d.ts.map +1 -0
  192. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js +71 -0
  193. package/dist/src/lib/analyzers/javascript/utils/createVulnerability.js.map +1 -0
  194. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts +36 -0
  195. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.d.ts.map +1 -0
  196. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js +70 -0
  197. package/dist/src/lib/analyzers/javascript/utils/metrics-calculator.js.map +1 -0
  198. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts +29 -0
  199. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.d.ts.map +1 -0
  200. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js +55 -0
  201. package/dist/src/lib/analyzers/javascript/utils/performance-analyzer.js.map +1 -0
  202. package/dist/src/lib/analyzers/javascript-analyzer.d.ts +95 -0
  203. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -0
  204. package/dist/src/lib/analyzers/javascript-analyzer.js +2141 -0
  205. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -0
  206. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts +21 -0
  207. package/dist/src/lib/analyzers/python/security-checks/access-control.d.ts.map +1 -0
  208. package/dist/src/lib/analyzers/python/security-checks/access-control.js +305 -0
  209. package/dist/src/lib/analyzers/python/security-checks/access-control.js.map +1 -0
  210. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +25 -0
  211. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -0
  212. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +242 -0
  213. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -0
  214. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts +24 -0
  215. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.d.ts.map +1 -0
  216. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js +207 -0
  217. package/dist/src/lib/analyzers/python/security-checks/authentication-flaws.js.map +1 -0
  218. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts +27 -0
  219. package/dist/src/lib/analyzers/python/security-checks/code-quality.d.ts.map +1 -0
  220. package/dist/src/lib/analyzers/python/security-checks/code-quality.js +206 -0
  221. package/dist/src/lib/analyzers/python/security-checks/code-quality.js.map +1 -0
  222. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +24 -0
  223. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -0
  224. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +113 -0
  225. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -0
  226. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts +20 -0
  227. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.d.ts.map +1 -0
  228. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js +129 -0
  229. package/dist/src/lib/analyzers/python/security-checks/crypto-failures.js.map +1 -0
  230. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts +19 -0
  231. package/dist/src/lib/analyzers/python/security-checks/data-integrity.d.ts.map +1 -0
  232. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js +90 -0
  233. package/dist/src/lib/analyzers/python/security-checks/data-integrity.js.map +1 -0
  234. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts +20 -0
  235. package/dist/src/lib/analyzers/python/security-checks/deserialization.d.ts.map +1 -0
  236. package/dist/src/lib/analyzers/python/security-checks/deserialization.js +68 -0
  237. package/dist/src/lib/analyzers/python/security-checks/deserialization.js.map +1 -0
  238. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts +25 -0
  239. package/dist/src/lib/analyzers/python/security-checks/django-security.d.ts.map +1 -0
  240. package/dist/src/lib/analyzers/python/security-checks/django-security.js +180 -0
  241. package/dist/src/lib/analyzers/python/security-checks/django-security.js.map +1 -0
  242. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +23 -0
  243. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  244. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +127 -0
  245. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -0
  246. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts +23 -0
  247. package/dist/src/lib/analyzers/python/security-checks/exception-handling.d.ts.map +1 -0
  248. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js +120 -0
  249. package/dist/src/lib/analyzers/python/security-checks/exception-handling.js.map +1 -0
  250. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts +24 -0
  251. package/dist/src/lib/analyzers/python/security-checks/flask-security.d.ts.map +1 -0
  252. package/dist/src/lib/analyzers/python/security-checks/flask-security.js +143 -0
  253. package/dist/src/lib/analyzers/python/security-checks/flask-security.js.map +1 -0
  254. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +28 -0
  255. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -0
  256. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +174 -0
  257. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -0
  258. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts +20 -0
  259. package/dist/src/lib/analyzers/python/security-checks/insecure-design.d.ts.map +1 -0
  260. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js +160 -0
  261. package/dist/src/lib/analyzers/python/security-checks/insecure-design.js.map +1 -0
  262. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts +20 -0
  263. package/dist/src/lib/analyzers/python/security-checks/logging-failures.d.ts.map +1 -0
  264. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js +121 -0
  265. package/dist/src/lib/analyzers/python/security-checks/logging-failures.js.map +1 -0
  266. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts +26 -0
  267. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.d.ts.map +1 -0
  268. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js +248 -0
  269. package/dist/src/lib/analyzers/python/security-checks/nosql-injection.js.map +1 -0
  270. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts +26 -0
  271. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.d.ts.map +1 -0
  272. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js +375 -0
  273. package/dist/src/lib/analyzers/python/security-checks/security-misconfiguration.js.map +1 -0
  274. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts +26 -0
  275. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.d.ts.map +1 -0
  276. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js +160 -0
  277. package/dist/src/lib/analyzers/python/security-checks/ssrf-detection.js.map +1 -0
  278. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts +23 -0
  279. package/dist/src/lib/analyzers/python/security-checks/web-security.d.ts.map +1 -0
  280. package/dist/src/lib/analyzers/python/security-checks/web-security.js +117 -0
  281. package/dist/src/lib/analyzers/python/security-checks/web-security.js.map +1 -0
  282. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts +58 -0
  283. package/dist/src/lib/analyzers/python/utils/createVulnerability.d.ts.map +1 -0
  284. package/dist/src/lib/analyzers/python/utils/createVulnerability.js +71 -0
  285. package/dist/src/lib/analyzers/python/utils/createVulnerability.js.map +1 -0
  286. package/dist/src/lib/analyzers/python-analyzer.d.ts +111 -0
  287. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -0
  288. package/dist/src/lib/analyzers/python-analyzer.js +1600 -0
  289. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -0
  290. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts +14 -0
  291. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.d.ts.map +1 -0
  292. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js +47 -0
  293. package/dist/src/lib/analyzers/secrets/patterns/api-keys/ai-providers.js.map +1 -0
  294. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts +13 -0
  295. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.d.ts.map +1 -0
  296. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +36 -0
  297. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -0
  298. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts +15 -0
  299. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.d.ts.map +1 -0
  300. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js +68 -0
  301. package/dist/src/lib/analyzers/secrets/patterns/api-keys/cloud-providers.js.map +1 -0
  302. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts +15 -0
  303. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.d.ts.map +1 -0
  304. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +68 -0
  305. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -0
  306. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts +12 -0
  307. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.d.ts.map +1 -0
  308. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js +45 -0
  309. package/dist/src/lib/analyzers/secrets/patterns/api-keys/generic.js.map +1 -0
  310. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts +14 -0
  311. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.d.ts.map +1 -0
  312. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +47 -0
  313. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -0
  314. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts +13 -0
  315. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.d.ts.map +1 -0
  316. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js +36 -0
  317. package/dist/src/lib/analyzers/secrets/patterns/api-keys/stripe.js.map +1 -0
  318. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts +15 -0
  319. package/dist/src/lib/analyzers/secrets/patterns/api-keys.d.ts.map +1 -0
  320. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js +32 -0
  321. package/dist/src/lib/analyzers/secrets/patterns/api-keys.js.map +1 -0
  322. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts +15 -0
  323. package/dist/src/lib/analyzers/secrets/patterns/credentials.d.ts.map +1 -0
  324. package/dist/src/lib/analyzers/secrets/patterns/credentials.js +68 -0
  325. package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -0
  326. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts +16 -0
  327. package/dist/src/lib/analyzers/secrets/patterns/private-keys.d.ts.map +1 -0
  328. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js +79 -0
  329. package/dist/src/lib/analyzers/secrets/patterns/private-keys.js.map +1 -0
  330. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts +15 -0
  331. package/dist/src/lib/analyzers/secrets/patterns/tokens.d.ts.map +1 -0
  332. package/dist/src/lib/analyzers/secrets/patterns/tokens.js +58 -0
  333. package/dist/src/lib/analyzers/secrets/patterns/tokens.js.map +1 -0
  334. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +88 -0
  335. package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -0
  336. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +162 -0
  337. package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -0
  338. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts +56 -0
  339. package/dist/src/lib/analyzers/secrets/validators/context-checker.d.ts.map +1 -0
  340. package/dist/src/lib/analyzers/secrets/validators/context-checker.js +199 -0
  341. package/dist/src/lib/analyzers/secrets/validators/context-checker.js.map +1 -0
  342. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts +56 -0
  343. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.d.ts.map +1 -0
  344. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js +102 -0
  345. package/dist/src/lib/analyzers/secrets/validators/entropy-checker.js.map +1 -0
  346. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts +38 -0
  347. package/dist/src/lib/analyzers/security-checks/es6-security.d.ts.map +1 -0
  348. package/dist/src/lib/analyzers/security-checks/es6-security.js +125 -0
  349. package/dist/src/lib/analyzers/security-checks/es6-security.js.map +1 -0
  350. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts +46 -0
  351. package/dist/src/lib/analyzers/security-checks/python-async-security.d.ts.map +1 -0
  352. package/dist/src/lib/analyzers/security-checks/python-async-security.js +92 -0
  353. package/dist/src/lib/analyzers/security-checks/python-async-security.js.map +1 -0
  354. package/dist/src/lib/analyzers/security-checks/react-security.d.ts +49 -0
  355. package/dist/src/lib/analyzers/security-checks/react-security.d.ts.map +1 -0
  356. package/dist/src/lib/analyzers/security-checks/react-security.js +125 -0
  357. package/dist/src/lib/analyzers/security-checks/react-security.js.map +1 -0
  358. package/dist/src/lib/analyzers/types.d.ts +92 -0
  359. package/dist/src/lib/analyzers/types.d.ts.map +1 -0
  360. package/dist/src/lib/analyzers/types.js +3 -0
  361. package/dist/src/lib/analyzers/types.js.map +1 -0
  362. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts +19 -0
  363. package/dist/src/lib/analyzers/typescript/security-checks/access-control.d.ts.map +1 -0
  364. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js +210 -0
  365. package/dist/src/lib/analyzers/typescript/security-checks/access-control.js.map +1 -0
  366. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts +25 -0
  367. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -0
  368. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +242 -0
  369. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -0
  370. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts +28 -0
  371. package/dist/src/lib/analyzers/typescript/security-checks/authentication.d.ts.map +1 -0
  372. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js +357 -0
  373. package/dist/src/lib/analyzers/typescript/security-checks/authentication.js.map +1 -0
  374. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts +26 -0
  375. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.d.ts.map +1 -0
  376. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js +380 -0
  377. package/dist/src/lib/analyzers/typescript/security-checks/code-injection.js.map +1 -0
  378. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts +23 -0
  379. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.d.ts.map +1 -0
  380. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js +109 -0
  381. package/dist/src/lib/analyzers/typescript/security-checks/code-quality.js.map +1 -0
  382. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts +21 -0
  383. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.d.ts.map +1 -0
  384. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js +153 -0
  385. package/dist/src/lib/analyzers/typescript/security-checks/credentials-crypto.js.map +1 -0
  386. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +23 -0
  387. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  388. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +146 -0
  389. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -0
  390. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts +23 -0
  391. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.d.ts.map +1 -0
  392. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js +187 -0
  393. package/dist/src/lib/analyzers/typescript/security-checks/exception-handling.js.map +1 -0
  394. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts +19 -0
  395. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map +1 -0
  396. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js +97 -0
  397. package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map +1 -0
  398. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +29 -0
  399. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -0
  400. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +319 -0
  401. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -0
  402. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts +21 -0
  403. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map +1 -0
  404. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js +121 -0
  405. package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.js.map +1 -0
  406. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts +27 -0
  407. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.d.ts.map +1 -0
  408. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js +213 -0
  409. package/dist/src/lib/analyzers/typescript/security-checks/security-misconfiguration.js.map +1 -0
  410. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts +19 -0
  411. package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -0
  412. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +59 -0
  413. package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -0
  414. package/dist/src/lib/analyzers/typescript/type-checker.d.ts +17 -0
  415. package/dist/src/lib/analyzers/typescript/type-checker.d.ts.map +1 -0
  416. package/dist/src/lib/analyzers/typescript/type-checker.js +515 -0
  417. package/dist/src/lib/analyzers/typescript/type-checker.js.map +1 -0
  418. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts +58 -0
  419. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.d.ts.map +1 -0
  420. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js +71 -0
  421. package/dist/src/lib/analyzers/typescript/utils/createVulnerability.js.map +1 -0
  422. package/dist/src/lib/analyzers/typescript-analyzer.d.ts +116 -0
  423. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -0
  424. package/dist/src/lib/analyzers/typescript-analyzer.js +1660 -0
  425. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -0
  426. package/dist/src/lib/security/compliance-mapping.d.ts +29 -0
  427. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -0
  428. package/dist/src/lib/security/compliance-mapping.js +1342 -0
  429. package/dist/src/lib/security/compliance-mapping.js.map +1 -0
  430. package/dist/src/lib/security/severity-scoring.d.ts +47 -0
  431. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -0
  432. package/dist/src/lib/security/severity-scoring.js +965 -0
  433. package/dist/src/lib/security/severity-scoring.js.map +1 -0
  434. package/dist/src/lib/standards/references.d.ts +16 -0
  435. package/dist/src/lib/standards/references.d.ts.map +1 -0
  436. package/dist/src/lib/standards/references.js +1161 -0
  437. package/dist/src/lib/standards/references.js.map +1 -0
  438. package/dist/src/lib/types/index.d.ts +167 -0
  439. package/dist/src/lib/types/index.d.ts.map +1 -0
  440. package/dist/src/lib/types/index.js +3 -0
  441. package/dist/src/lib/types/index.js.map +1 -0
  442. package/dist/src/lib/utils/code-cleaner.d.ts +59 -0
  443. package/dist/src/lib/utils/code-cleaner.d.ts.map +1 -0
  444. package/dist/src/lib/utils/code-cleaner.js +283 -0
  445. package/dist/src/lib/utils/code-cleaner.js.map +1 -0
  446. package/package.json +51 -0
  447. package/src/commands/auth.ts +308 -0
  448. package/src/commands/config.ts +226 -0
  449. package/src/commands/init.ts +202 -0
  450. package/src/commands/scan.ts +238 -0
  451. package/src/config/config-loader.ts +175 -0
  452. package/src/reporters/cli-reporter.ts +282 -0
  453. package/src/scanner/local-scanner.ts +250 -0
  454. package/tsconfig.json +24 -0
  455. package/tsconfig.tsbuildinfo +1 -0
package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts ADDED
@@ -0,0 +1,19 @@
1
+ /**
2
+ * TypeScript Information Disclosure Security Checks
3
+ * OWASP A05:2021 - Security Misconfiguration
4
+ *
5
+ * Detects sensitive information exposure vulnerabilities
6
+ * in TypeScript Express/Koa error handlers.
7
+ */
8
+ import { SecurityVulnerability } from '../../types';
9
+ /**
10
+ * Checks for information disclosure vulnerabilities in TypeScript code
11
+ *
12
+ * Covers:
13
+ * - Check #86: Stack trace exposure in error handlers (HIGH)
14
+ *
15
+ * @param lines - Array of code lines
16
+ * @returns Array of security vulnerabilities found
17
+ */
18
+ export declare function checkInformationDisclosure(lines: string[]): SecurityVulnerability[];
19
+ //# sourceMappingURL=information-disclosure.d.ts.map
package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"information-disclosure.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/information-disclosure.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CACxC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAgHzB"}
package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js ADDED
@@ -0,0 +1,97 @@
1
+ "use strict";
2
+ /**
3
+ * TypeScript Information Disclosure Security Checks
4
+ * OWASP A05:2021 - Security Misconfiguration
5
+ *
6
+ * Detects sensitive information exposure vulnerabilities
7
+ * in TypeScript Express/Koa error handlers.
8
+ */
9
+ Object.defineProperty(exports, "__esModule", { value: true });
10
+ exports.checkInformationDisclosure = checkInformationDisclosure;
11
+ const createVulnerability_1 = require("../utils/createVulnerability");
12
+ /**
13
+ * Checks for information disclosure vulnerabilities in TypeScript code
14
+ *
15
+ * Covers:
16
+ * - Check #86: Stack trace exposure in error handlers (HIGH)
17
+ *
18
+ * @param lines - Array of code lines
19
+ * @returns Array of security vulnerabilities found
20
+ */
21
+ function checkInformationDisclosure(lines) {
22
+ const vulnerabilities = [];
23
+ let inMultiLineComment = false;
24
+ lines.forEach((line, index) => {
25
+ const lineNumber = index + 1;
26
+ const trimmed = line.trim();
27
+ // Track multi-line comment blocks (/* ... */)
28
+ if (trimmed.includes('/*')) {
29
+ inMultiLineComment = true;
30
+ }
31
+ if (trimmed.includes('*/')) {
32
+ inMultiLineComment = false;
33
+ return;
34
+ }
35
+ // Skip comments and empty lines
36
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
37
+ return;
38
+ // OWASP A05:2021 - Security Misconfiguration
39
+ // Check #86: Stack trace exposure in error handlers - HIGH
40
+ // Pattern: app.use((err, req, res, next) => { res.json({ stack: err.stack }) })
41
+ // Detects error handler middleware with 4 parameters exposing err.stack or err.message
42
+ // First, detect error handler middleware pattern (4 parameters)
43
+ // Matches both: (err, req, res, next) and (err: any, req: any, res: any, next: any)
44
+ const errorHandlerPattern = /(app|router)\.use\s*\(\s*\(\s*err\s*(?::\s*\w+)?\s*,\s*req\s*(?::\s*\w+)?\s*,\s*res\s*(?::\s*\w+)?\s*,\s*next\s*(?::\s*\w+)?\s*\)/i;
45
+ if (trimmed.match(errorHandlerPattern)) {
46
+ // Check next 15 lines for stack trace exposure
47
+ const nextLines = lines.slice(index, Math.min(index + 15, lines.length));
48
+ // Look for patterns that expose error details
49
+ const exposesStackTrace = nextLines.some(l => {
50
+ const lowerLine = l.toLowerCase();
51
+ return (
52
+ // err.stack being sent in response
53
+ (lowerLine.includes('err.stack') || lowerLine.includes('error.stack')) ||
54
+ // err.message with stack property access nearby
55
+ (lowerLine.includes('err.message') &&
56
+ nextLines.some(nl => nl.toLowerCase().includes('.stack'))));
57
+ });
58
+ // Look for production environment check
59
+ const hasProductionCheck = nextLines.some(l => {
60
+ const lowerLine = l.toLowerCase();
61
+ return (lowerLine.includes('node_env') ||
62
+ lowerLine.includes('production') ||
63
+ lowerLine.includes('process.env.env'));
64
+ });
65
+ if (exposesStackTrace && !hasProductionCheck) {
66
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('stack-trace-exposure', 'Error handler exposes sensitive stack traces in production', 'Only expose stack traces in development: if (process.env.NODE_ENV !== "production") { ... }', lineNumber, 'Stack traces contain sensitive information about the application\'s internal structure, file paths, library versions, and database details. Exposing this in production enables attackers to identify vulnerabilities and craft targeted attacks.', 'app.use((err, req, res, next) => res.status(500).json({error: err.message, stack: err.stack})) → attacker sees: "at /home/app/src/database/connection.js:42:15"', [
67
+ 'Disclosure of internal file paths and project structure',
68
+ 'Exposure of framework and library versions (enables targeted exploits)',
69
+ 'Revelation of database connection details and queries',
70
+ 'Information gathering for targeted attacks',
71
+ 'Compliance violations (OWASP, PCI-DSS require error message sanitization)'
72
+ ], 'app.use((err: any, req: any, res: any, next: any) => {\n res.status(500).json({ error: err.message, stack: err.stack });\n});', 'app.use((err: any, req: any, res: any, next: any) => {\n if (process.env.NODE_ENV === "production") {\n res.status(500).json({ error: "Internal server error" });\n } else {\n res.status(500).json({ error: err.message, stack: err.stack });\n }\n});', 'Add environment check to only expose detailed error information in development. In production, return generic error messages to prevent information leakage.'));
73
+ }
74
+ }
75
+ // Additional check: Direct stack trace exposure (not in error handler)
76
+ // Pattern: res.json({ stack: err.stack }) or res.send(err.stack)
77
+ if ((trimmed.includes('res.json') || trimmed.includes('res.send')) &&
78
+ (trimmed.includes('err.stack') || trimmed.includes('error.stack'))) {
79
+ // Check surrounding lines for environment check
80
+ const surroundingLines = lines.slice(Math.max(0, index - 3), Math.min(index + 3, lines.length));
81
+ const hasEnvCheck = surroundingLines.some(l => {
82
+ const lowerLine = l.toLowerCase();
83
+ return lowerLine.includes('node_env') || lowerLine.includes('production');
84
+ });
85
+ if (!hasEnvCheck) {
86
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('direct-stack-exposure', 'Direct exposure of stack trace without environment check', 'Add production check: if (process.env.NODE_ENV !== "production") before exposing stack traces', lineNumber, 'Stack trace exposure reveals internal application details that attackers can use to identify and exploit vulnerabilities.', 'res.json({stack: err.stack}) in production → reveals "/app/src/auth/controller.ts:125:30"', [
87
+ 'Internal path disclosure',
88
+ 'Technology stack fingerprinting',
89
+ 'Vulnerability identification aid',
90
+ 'Attack surface mapping'
91
+ ], 'res.status(500).json({ error: err.message, stack: err.stack });', 'if (process.env.NODE_ENV !== "production") {\n res.status(500).json({ error: err.message, stack: err.stack });\n} else {\n res.status(500).json({ error: "Internal server error" });\n}', 'Wrap stack trace exposure in environment check to prevent information leakage in production'));
92
+ }
93
+ }
94
+ });
95
+ return vulnerabilities;
96
+ }
97
+ //# sourceMappingURL=information-disclosure.js.map
package/dist/src/lib/analyzers/typescript/security-checks/information-disclosure.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"information-disclosure.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/information-disclosure.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAcH,gEAkHC;AA7HD,sEAAqF;AAErF;;;;;;;;GAQG;AACH,SAAgB,0BAA0B,CACxC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,6CAA6C;QAC7C,2DAA2D;QAC3D,gFAAgF;QAChF,uFAAuF;QAEvF,gEAAgE;QAChE,oFAAoF;QACpF,MAAM,mBAAmB,GAAG,oIAAoI,CAAC;QAEjK,IAAI,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC;YACvC,+CAA+C;YAC/C,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,EAAE,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAEzE,8CAA8C;YAC9C,MAAM,iBAAiB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC3C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO;gBACL,mCAAmC;gBACnC,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;oBACtE,gDAAgD;oBAChD,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;wBACjC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC5D,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,wCAAwC;YACxC,MAAM,kBAAkB,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC5C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;oBAC9B,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAChC,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CACtC,CAAC;YACJ,CAAC,CAAC,CAAC;YAEH,IAAI,iBAAiB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBAC7C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,sBAAsB,EACtB,4DAA4D,EAC5D,6FAA6F,EAC7F,UAAU,EACV,mPAAmP,EACnP,iKAAiK,EACjK;oBACE,yDAAyD;oBACzD,wEAAwE;oBACxE,uDAAuD;oBACvD,4CAA4C;oBAC5C,2EAA2E;iBAC5E,EACD,gIAAgI,EAChI,kQAAkQ,EAClQ,8JAA8J,CAC/J,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,uEAAuE;QACvE,iEAAiE;QACjE,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;YAC9D,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC;YAEvE,gDAAgD;YAChD,MAAM,gBAAgB,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC;YAChG,MAAM,WAAW,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;gBAC5C,MAAM,SAAS,GAAG,CAAC,CAAC,WAAW,EAAE,CAAC;gBAClC,OAAO,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YAC5E,CAAC,CAAC,CAAC;YAEH,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,uBAAuB,EACvB,0DAA0D,EAC1D,+FAA+F,EAC/F,UAAU,EACV,2HAA2H,EAC3H,2FAA2F,EAC3F;oBACE,0BAA0B;oBAC1B,iCAAiC;oBACjC,kCAAkC;oBAClC,wBAAwB;iBACzB,EACD,iEAAiE,EACjE,2LAA2L,EAC3L,6FAA6F,CAC9F,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts ADDED
@@ -0,0 +1,29 @@
1
+ /**
2
+ * TypeScript Injection Attack Security Checks
3
+ * OWASP A03:2021 - Injection
4
+ *
5
+ * Detects code injection and XSS vulnerabilities in TypeScript code.
6
+ */
7
+ import { SecurityVulnerability } from '../../types';
8
+ /**
9
+ * Checks for injection attack vulnerabilities in TypeScript code
10
+ *
11
+ * Covers:
12
+ * - Check #1: eval() usage (CRITICAL)
13
+ * - Check #2: Function constructor (HIGH)
14
+ * - Check #3: setTimeout/setInterval with strings (MEDIUM)
15
+ * - Check #4: innerHTML with variables (HIGH) - XSS
16
+ * - Check #5: outerHTML with variables (HIGH) - XSS
17
+ * - Check #6: document.write (MEDIUM) - XSS
18
+ * - Check #7: dangerouslySetInnerHTML (React) (HIGH) - XSS
19
+ * - Check #8: res.send/res.write with HTML template literals (HIGH) - XSS
20
+ * - Check #9: NoSQL Injection - MongoDB operator injection (CRITICAL) - Phase A P0
21
+ * - Check #10: NoSQL Injection - MongoDB $where JavaScript injection (CRITICAL) - Phase A P0
22
+ * - Check #11: SSTI - Server-Side Template Injection (CRITICAL) - Phase B
23
+ * - Check #12: LDAP Injection (CRITICAL) - Phase B
24
+ *
25
+ * @param lines - Array of code lines
26
+ * @returns Array of security vulnerabilities found
27
+ */
28
+ export declare function checkInjectionAttacks(lines: string[]): SecurityVulnerability[];
29
+ //# sourceMappingURL=injection-attacks.d.ts.map
package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"injection-attacks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/injection-attacks.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA2ezB"}
package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js ADDED
@@ -0,0 +1,319 @@
1
+ "use strict";
2
+ /**
3
+ * TypeScript Injection Attack Security Checks
4
+ * OWASP A03:2021 - Injection
5
+ *
6
+ * Detects code injection and XSS vulnerabilities in TypeScript code.
7
+ */
8
+ Object.defineProperty(exports, "__esModule", { value: true });
9
+ exports.checkInjectionAttacks = checkInjectionAttacks;
10
+ const createVulnerability_1 = require("../utils/createVulnerability");
11
+ /**
12
+ * Checks for injection attack vulnerabilities in TypeScript code
13
+ *
14
+ * Covers:
15
+ * - Check #1: eval() usage (CRITICAL)
16
+ * - Check #2: Function constructor (HIGH)
17
+ * - Check #3: setTimeout/setInterval with strings (MEDIUM)
18
+ * - Check #4: innerHTML with variables (HIGH) - XSS
19
+ * - Check #5: outerHTML with variables (HIGH) - XSS
20
+ * - Check #6: document.write (MEDIUM) - XSS
21
+ * - Check #7: dangerouslySetInnerHTML (React) (HIGH) - XSS
22
+ * - Check #8: res.send/res.write with HTML template literals (HIGH) - XSS
23
+ * - Check #9: NoSQL Injection - MongoDB operator injection (CRITICAL) - Phase A P0
24
+ * - Check #10: NoSQL Injection - MongoDB $where JavaScript injection (CRITICAL) - Phase A P0
25
+ * - Check #11: SSTI - Server-Side Template Injection (CRITICAL) - Phase B
26
+ * - Check #12: LDAP Injection (CRITICAL) - Phase B
27
+ *
28
+ * @param lines - Array of code lines
29
+ * @returns Array of security vulnerabilities found
30
+ */
31
+ function checkInjectionAttacks(lines) {
32
+ const vulnerabilities = [];
33
+ let inMultiLineComment = false;
34
+ // Track variables assigned from user input (simple within-function tracking)
35
+ const userInputVariables = new Map(); // variable name -> line number
36
+ lines.forEach((line, index) => {
37
+ const lineNumber = index + 1;
38
+ const trimmed = line.trim();
39
+ // Track multi-line comment blocks (/* ... */)
40
+ if (trimmed.includes('/*')) {
41
+ inMultiLineComment = true;
42
+ }
43
+ if (trimmed.includes('*/')) {
44
+ inMultiLineComment = false;
45
+ return;
46
+ }
47
+ // Skip comments and empty lines
48
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//') || trimmed.startsWith('*'))
49
+ return;
50
+ // OWASP A03:2021 - Injection
51
+ // 1. eval() - CRITICAL
52
+ if (trimmed.includes('eval(')) {
53
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('eval-usage', 'CRITICAL: eval() allows arbitrary code execution', 'Use JSON.parse() or type-safe alternatives', lineNumber, 'An attacker can inject malicious code through any input that reaches eval(), enabling complete control over the application\'s execution context.', 'eval(userInput) where userInput = "require(\'child_process\').exec(\'rm -rf /\')"', [
54
+ 'Remote Code Execution (RCE)',
55
+ 'Complete system compromise',
56
+ 'Data theft and exfiltration',
57
+ 'Malware installation'
58
+ ], 'const result = eval(userInput);', 'const result = JSON.parse(userInput); // For data only', 'Replace eval() with JSON.parse() for data parsing, or refactor code to avoid dynamic execution entirely'));
59
+ }
60
+ // 2. Function constructor - HIGH
61
+ if (trimmed.match(/new\s+Function\s*\(/)) {
62
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('function-constructor', 'Function constructor similar to eval() - vulnerable to injection', 'Avoid creating functions dynamically from strings', lineNumber, 'The Function constructor creates functions from strings at runtime, allowing arbitrary code execution if the input is attacker-controlled.', 'new Function(userInput)() where userInput = "return process.env"', [
63
+ 'Code injection',
64
+ 'Access to sensitive data',
65
+ 'Bypass of security restrictions',
66
+ 'Remote code execution in certain contexts'
67
+ ], 'const fn = new Function(userCode); fn();', '// Refactor to avoid dynamic code generation\n// Use predefined functions or safer alternatives', 'Eliminate dynamic function creation. Use predefined functions, configuration objects, or refactor the architecture'));
68
+ }
69
+ // 3. setTimeout/setInterval with strings OR variables - MEDIUM
70
+ if (trimmed.match(/set(Timeout|Interval)\s*\(\s*['"]/) ||
71
+ trimmed.match(/set(Timeout|Interval)\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,/)) {
72
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('settimeout-string', 'setTimeout/setInterval with string or code variable executes code like eval()', 'Use anonymous function: setTimeout(() => {...}, delay)', lineNumber, 'Passing a string or variable containing code to setTimeout/setInterval causes it to be evaluated as code, similar to eval().', 'setTimeout("alert(userInput)", 1000) or setTimeout(code, 1000) where code/userInput is attacker-controlled', [
73
+ 'Code injection via timing functions',
74
+ 'XSS attacks',
75
+ 'Bypass of CSP (Content Security Policy)'
76
+ ], 'setTimeout("doSomething()", 1000); // or setTimeout(code, 1000);', 'setTimeout(() => doSomething(), 1000);', 'Always pass a function reference or arrow function to setTimeout/setInterval, never a string or variable containing code'));
77
+ }
78
+ // OWASP A03:2021 - XSS (Cross-Site Scripting)
79
+ // 4. innerHTML with variables - HIGH
80
+ if (trimmed.match(/\.innerHTML\s*=/) && (trimmed.includes('+') || trimmed.includes('${'))) {
81
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'XSS: innerHTML with unsanitized variables', 'Use textContent, DOMPurify, or createElement()', lineNumber, 'An attacker can inject malicious JavaScript code through user input, stealing session cookies, credentials, or performing actions on behalf of the user.', 'element.innerHTML = "<div>" + userInput + "</div>" where userInput = "<img src=x onerror=alert(document.cookie)>"', [
82
+ 'Session hijacking (cookie theft)',
83
+ 'Credential theft (keylogging)',
84
+ 'Phishing attacks',
85
+ 'Malware distribution',
86
+ 'Defacement'
87
+ ], 'element.innerHTML = "<div>" + userContent + "</div>";', 'element.textContent = userContent; // Safe for plain text\n// Or: element.innerHTML = DOMPurify.sanitize(userContent);', 'Use textContent for plain text, or sanitize HTML with DOMPurify before setting innerHTML'));
88
+ }
89
+ // 5. outerHTML - HIGH
90
+ if (trimmed.match(/\.outerHTML\s*=/) && (trimmed.includes('+') || trimmed.includes('${'))) {
91
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'XSS: outerHTML with unsanitized variables', 'Use safe DOM methods', lineNumber, 'Setting outerHTML with user content allows XSS attacks by replacing the entire element with malicious HTML.', 'element.outerHTML = userHTML where userHTML contains <img src=x onerror=alert(1)>', [
92
+ 'Cross-site scripting (XSS)',
93
+ 'Session hijacking',
94
+ 'Credential theft',
95
+ 'Malware distribution'
96
+ ], 'element.outerHTML = "<div>" + userContent + "</div>";', 'const div = document.createElement("div");\ndiv.textContent = userContent;\nelement.replaceWith(div);', 'Create elements using createElement() and set content with textContent, or sanitize HTML with DOMPurify'));
97
+ }
98
+ // 6. document.write - MEDIUM
99
+ if (trimmed.includes('document.write')) {
100
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('document-write', 'document.write is unsafe, deprecated and can cause XSS', 'Use createElement() and appendChild()', lineNumber, 'document.write() is synchronous, deprecated, and can be exploited for XSS if used with untrusted data.', 'document.write("<div>" + userInput + "</div>")', [
101
+ 'XSS vulnerability',
102
+ 'Performance issues (parser-blocking)',
103
+ 'Overwrites page content if called after page load'
104
+ ], 'document.write("<h1>" + title + "</h1>");', 'const h1 = document.createElement("h1");\nh1.textContent = title;\ndocument.body.appendChild(h1);', 'Use modern DOM APIs: createElement(), textContent, and appendChild()'));
105
+ }
106
+ // 7. dangerouslySetInnerHTML (React) - HIGH
107
+ if (trimmed.match(/dangerouslySetInnerHTML\s*=\s*{{/)) {
108
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'React dangerouslySetInnerHTML can cause XSS', 'Sanitize with DOMPurify before use', lineNumber, 'Using dangerouslySetInnerHTML without sanitization allows XSS attacks through user-supplied HTML content.', '<div dangerouslySetInnerHTML={{__html: userInput}} /> where userInput contains malicious script', [
109
+ 'Cross-site scripting (XSS)',
110
+ 'Session hijacking',
111
+ 'Credential theft',
112
+ 'Malware distribution'
113
+ ], '<div dangerouslySetInnerHTML={{__html: userInput}} />', 'import DOMPurify from "dompurify";\n<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />', 'Always sanitize HTML content with DOMPurify before passing to dangerouslySetInnerHTML'));
114
+ }
115
+ // 8. Express res.send/res.write with HTML template literals - HIGH
116
+ // Detects: res.send(`<h1>Hello ${name}</h1>`) - Reflected XSS
117
+ if (trimmed.match(/(res|response)\.(send|write)\s*\(/) &&
118
+ trimmed.includes('`') &&
119
+ trimmed.match(/<[^>]+>/) &&
120
+ trimmed.includes('${')) {
121
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'XSS: res.send/res.write with HTML template literals and variables', 'Escape HTML or use a templating engine with auto-escaping', lineNumber, 'Sending HTML with unescaped user input allows attackers to inject malicious scripts that execute in the victim\'s browser, stealing cookies or performing actions on their behalf.', 'res.send(`<h1>Hello ${req.query.name}</h1>`) where name = "<script>alert(document.cookie)</script>"', [
122
+ 'Reflected XSS attacks',
123
+ 'Session hijacking (cookie theft)',
124
+ 'Credential theft',
125
+ 'Phishing attacks',
126
+ 'Malware distribution'
127
+ ], 'res.send(`<h1>Hello ${userName}</h1>`);', 'import { escapeHtml } from "escape-html";\nres.send(`<h1>Hello ${escapeHtml(userName)}</h1>`);\n// Or use template engine: res.render("template", { userName });', 'Use HTML escaping libraries (escape-html) or template engines with auto-escaping (EJS, Handlebars, Pug)'));
128
+ }
129
+ // =============================================================================
130
+ // PHASE A P0 - NoSQL Injection Detection (Dec 19, 2025)
131
+ // =============================================================================
132
+ // Track user input variable assignments (simple within-function tracking)
133
+ // Pattern: const query = req.body; const filter = req.json(); etc.
134
+ const userInputAssignment = trimmed.match(/^(?:const|let|var)\s+(\w+)\s*=\s*(req\.(body|json|query|params|get))/);
135
+ if (userInputAssignment) {
136
+ const varName = userInputAssignment[1];
137
+ userInputVariables.set(varName, lineNumber);
138
+ }
139
+ // 9. MongoDB Operator Injection - CRITICAL
140
+ // Pattern: collection.find(req.body) or collection.findOne(userQuery)
141
+ // Detects MongoDB query methods with user-controlled input
142
+ const mongoMethodMatch = trimmed.match(/\.(find|findOne|findOneAndUpdate|update|updateOne|updateMany|delete|deleteOne|deleteMany|count|countDocuments|aggregate)\s*\(/);
143
+ if (mongoMethodMatch) {
144
+ const methodName = mongoMethodMatch[1];
145
+ // Extract argument to MongoDB method
146
+ const methodCallMatch = trimmed.match(/\.(find|findOne|findOneAndUpdate|update|updateOne|updateMany|delete|deleteOne|deleteMany|count|countDocuments|aggregate)\s*\(\s*([^)]+)\s*\)/);
147
+ if (methodCallMatch) {
148
+ const args = methodCallMatch[2].trim();
149
+ // Check for direct user input
150
+ const hasDirectUserInput = args.includes('req.body') ||
151
+ args.includes('req.json()') ||
152
+ args.includes('req.query') ||
153
+ args.includes('req.params');
154
+ // Check for user input variable
155
+ const firstArg = args.split(',')[0].trim();
156
+ const hasUserInputVariable = userInputVariables.has(firstArg);
157
+ // Check for object spread with potential user input
158
+ const hasSpreadWithUserInput = args.match(/\.\.\.\s*req\.(body|json\(\)|query|params)/) ||
159
+ (args.includes('...') && userInputVariables.has(args.match(/\.\.\.\s*(\w+)/)?.[1] || ''));
160
+ if (hasDirectUserInput || hasUserInputVariable || hasSpreadWithUserInput) {
161
+ const userInputSource = hasDirectUserInput
162
+ ? args.match(/req\.(body|json|query|params)/)?.[0] || 'req.body'
163
+ : (hasUserInputVariable ? `${firstArg} (line ${userInputVariables.get(firstArg)})` : 'spread operator');
164
+ // Only flag if not using safe field extraction pattern
165
+ // Safe: { username: req.body.username } or { username, password } destructured
166
+ const isSafeFieldExtraction = args.match(/\{\s*\w+\s*:\s*req\.(body|query|params)\.\w+\s*\}/) ||
167
+ !args.includes('req.') && !hasUserInputVariable && !hasSpreadWithUserInput;
168
+ if (!isSafeFieldExtraction) {
169
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('nosql-injection', `MongoDB ${methodName}() with user-controlled input - operator injection risk`, 'Use schema validation (zod/joi) or explicit field extraction', lineNumber, `MongoDB query methods accept object-like inputs. Attackers can inject MongoDB operators like {$gt: ""}, {$ne: null}, or {$or: [...]} to bypass authentication, access unauthorized data, or manipulate queries. User input from ${userInputSource} is passed directly to the query.`, `const user = await db.users.findOne(req.body); // Attack: POST {\"username\": {\"$ne\": null}, \"password\": {\"$ne\": null}} bypasses authentication`, [
170
+ 'Authentication bypass (login without valid credentials)',
171
+ 'Unauthorized data access (read all database records)',
172
+ 'Data exfiltration via operator injection',
173
+ 'Privilege escalation (access admin accounts)',
174
+ 'Database enumeration and information disclosure'
175
+ ], `const credentials = req.body;\nconst user = await db.users.${methodName}(credentials); // Vulnerable to MongoDB operator injection`, `// Option 1: Schema validation (recommended)\nimport { z } from 'zod';\nconst LoginSchema = z.object({\n username: z.string().min(1).max(50),\n password: z.string().min(1)\n});\nconst validated = LoginSchema.parse(req.body);\nconst user = await db.users.${methodName}(validated);\n\n// Option 2: Explicit field extraction\nconst { username, password } = req.body;\nconst user = await db.users.${methodName}({ username, password }); // Only expected fields`, 'Never pass user input directly to MongoDB query methods. Use schema validation (zod, joi, class-validator) to ensure only expected fields with correct types, or extract fields explicitly. Reject objects containing keys starting with $ or containing nested objects.'));
176
+ }
177
+ }
178
+ }
179
+ }
180
+ // 10. MongoDB $where JavaScript Injection - CRITICAL
181
+ // Pattern: collection.find({ "$where": `this.age > ${minAge}` })
182
+ // Detects $where operator with string interpolation
183
+ if (trimmed.includes('$where') || trimmed.includes('"$where"') || trimmed.includes("'$where'")) {
184
+ // Check for template literal interpolation
185
+ const hasTemplateLiteral = trimmed.match(/\$where['"]?\s*:\s*`[^`]*\$\{/) ||
186
+ trimmed.match(/\$where['"]?\s*:\s*['"].*\$\{/);
187
+ // Check for string concatenation
188
+ const hasStringConcat = trimmed.match(/\$where['"]?\s*:\s*['"][^'"]*['"]?\s*\+/) ||
189
+ trimmed.match(/\$where['"]?\s*:\s*.*\+\s*\w+/);
190
+ if (hasTemplateLiteral || hasStringConcat) {
191
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('nosql-injection', 'MongoDB $where clause with JavaScript injection risk', 'Avoid $where entirely - use native MongoDB operators ($gt, $lt, $eq, etc.)', lineNumber, 'MongoDB $where operator executes JavaScript code on the server. If user input is interpolated into $where clauses using template literals or string concatenation, attackers can inject arbitrary JavaScript code, leading to remote code execution, data exfiltration, or denial of service.', 'const query = { "$where": `this.age > ${req.body.minAge}` }; // Attack: minAge = "0; return true; //" returns all documents', [
192
+ 'Remote Code Execution (JavaScript execution in MongoDB process)',
193
+ 'Complete database compromise and data theft',
194
+ 'Denial of Service (infinite loops, resource exhaustion)',
195
+ 'Bypass of all authentication and authorization',
196
+ 'Server takeover via process.mainModule.require'
197
+ ], 'const minAge = req.query.age;\nconst users = await db.users.find({ "$where": `this.age > ${minAge}` }); // JavaScript injection!', '// NEVER use $where with user input\n// Use native MongoDB operators instead:\nconst minAge = parseInt(req.query.age, 10);\nconst users = await db.users.find({ age: { $gt: minAge } }); // Safe: native operator, no code execution', 'MongoDB $where operator is extremely dangerous and should never be used with user input. Always use native MongoDB query operators ($gt, $lt, $eq, $in, $and, $or, etc.) which do not execute code. If complex logic is needed, implement it in application code, not in database queries.'));
198
+ }
199
+ }
200
+ // Additional check: Detect spread operator with user input (catches multi-line MongoDB calls)
201
+ // Pattern: { ...req.body } or { ...req.json() } anywhere in code
202
+ if (trimmed.match(/\{\s*\.\.\.\s*req\.(body|json\(\)|query|params)/)) {
203
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('nosql-injection', 'Object spread with user input - potential NoSQL injection', 'Extract specific fields or use schema validation', lineNumber, 'Using object spread operator with unsanitized user input allows attackers to inject arbitrary fields into database queries, potentially bypassing authentication or accessing unauthorized data.', '{ ...req.body } // Attack: POST {"$ne": null} bypasses all authentication checks', [
204
+ 'Authentication bypass (NoSQL operator injection)',
205
+ 'Unauthorized data access',
206
+ 'Privilege escalation',
207
+ 'Data exfiltration'
208
+ ], 'const updateData = { ...req.body };\nawait db.users.updateOne({ _id: userId }, updateData);', 'const { field1, field2 } = req.body;\nconst updateData = { field1, field2 };\nawait db.users.updateOne({ _id: userId }, updateData);', 'Always explicitly extract required fields from user input instead of using spread operator. This prevents attackers from injecting NoSQL operators like $ne, $gt, $or, etc.'));
209
+ }
210
+ // =============================================================================
211
+ // PHASE B - Server-Side Template Injection & LDAP Injection (Dec 20, 2025)
212
+ // =============================================================================
213
+ // 11. SSTI - Server-Side Template Injection - CRITICAL
214
+ // Pattern: Handlebars.compile(userInput), Pug.compile(), EJS.render(), etc.
215
+ // Detects template compilation with user-controlled input
216
+ const templateMethods = [
217
+ 'Handlebars.compile',
218
+ 'Pug.compile',
219
+ 'EJS.render',
220
+ 'Nunjucks.renderString',
221
+ 'res.render'
222
+ ];
223
+ for (const method of templateMethods) {
224
+ if (trimmed.includes(method)) {
225
+ // Extract argument to template method
226
+ const methodPattern = new RegExp(`${method.replace('.', '\\.')}\\s*\\(`);
227
+ const methodMatch = trimmed.match(methodPattern);
228
+ if (methodMatch) {
229
+ // Check for direct user input
230
+ const hasDirectUserInput = trimmed.includes('req.body') ||
231
+ trimmed.includes('req.json()') ||
232
+ trimmed.includes('req.query') ||
233
+ trimmed.includes('req.params');
234
+ // Check for user input variable
235
+ const argMatch = trimmed.match(new RegExp(`${method.replace('.', '\\.')}\\s*\\(\\s*([^),]+)`));
236
+ const firstArg = argMatch ? argMatch[1].trim() : '';
237
+ const hasUserInputVariable = userInputVariables.has(firstArg);
238
+ // Check for template literal with user input
239
+ const hasTemplateLiteral = trimmed.match(/`[^`]*\$\{/) &&
240
+ (trimmed.includes('req.') || Array.from(userInputVariables.keys()).some(varName => trimmed.includes(varName)));
241
+ if (hasDirectUserInput || hasUserInputVariable || hasTemplateLiteral) {
242
+ const userInputSource = hasDirectUserInput
243
+ ? (trimmed.match(/req\.(body|json\(\)|query|params)/)?.[0] || 'req.body')
244
+ : (hasUserInputVariable ? `${firstArg} (line ${userInputVariables.get(firstArg)})` : 'template literal');
245
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('ssti', `Server-Side Template Injection via ${method}() with user-controlled template`, 'Never compile user input as templates - only use user data in template variables', lineNumber, `Template engines like Handlebars, Pug, EJS, and Nunjucks execute code when compiling templates. If attackers control the template string (from ${userInputSource}), they can inject template expressions that execute arbitrary code on the server, leading to Remote Code Execution (RCE).`, `${method}(req.body.template) // Attack: template = "{{constructor.constructor('return process.env')()}}" exposes all environment variables including secrets`, [
246
+ 'Remote Code Execution (RCE)',
247
+ 'Complete server takeover',
248
+ 'Environment variable disclosure (API keys, secrets)',
249
+ 'File system access and data exfiltration',
250
+ 'Denial of Service (infinite loops)',
251
+ 'Lateral movement to other services'
252
+ ], `const template = req.query.template;\nconst compiled = ${method}(template); // User controls template code!`, `// NEVER compile user input as templates\n// Use user input only as data in pre-defined templates:\nconst template = ${method}('Hello {{name}}'); // Safe: template is hardcoded\nconst result = template({ name: req.body.name }); // User data in variables only`, 'Never allow user input to be used as template code. Always use pre-defined, hardcoded templates and only pass user data as template variables. For dynamic content, use parameterized templates with user input in data context, never in template strings.'));
253
+ }
254
+ }
255
+ }
256
+ }
257
+ // =============================================================================
258
+ // 12. LDAP Injection - CRITICAL
259
+ // Pattern: LDAP filter construction with user input via template literals or concatenation
260
+ // Detects: client.search() with user-controlled filters
261
+ // =============================================================================
262
+ // Detect LDAP search operations
263
+ if (trimmed.match(/\.(search|searchOne|bind)\s*\(/)) {
264
+ // Check for LDAP filter construction with user input
265
+ // Pattern 1: Filter as template literal with user input
266
+ // const filter = `(uid=${req.body.username})`;
267
+ const hasFilterTemplateLiteral = trimmed.match(/filter\s*[:=]\s*`[^`]*\$\{/) &&
268
+ (trimmed.includes('req.') ||
269
+ Array.from(userInputVariables.keys()).some(varName => trimmed.includes(varName)));
270
+ // Pattern 2: LDAP method with template literal filter in argument
271
+ // client.search('ou=users', { filter: `(uid=${username})` })
272
+ const hasInlineFilterTemplate = trimmed.match(/filter\s*:\s*`[^`]*\$\{/) &&
273
+ (trimmed.includes('req.') ||
274
+ Array.from(userInputVariables.keys()).some(varName => trimmed.includes(varName)));
275
+ // Pattern 3: String concatenation in filter
276
+ // const filter = "(uid=" + req.body.username + ")";
277
+ const hasFilterConcat = trimmed.match(/filter\s*[:=]\s*['"][^'"]*['"]?\s*\+/) &&
278
+ (trimmed.includes('req.') ||
279
+ Array.from(userInputVariables.keys()).some(varName => trimmed.includes(varName)));
280
+ // Pattern 4: User input variable used in filter
281
+ const filterMatch = trimmed.match(/filter\s*[:=]\s*([a-zA-Z_$][a-zA-Z0-9_$]*)/);
282
+ const filterVarName = filterMatch ? filterMatch[1] : '';
283
+ const hasUserInputFilterVar = userInputVariables.has(filterVarName);
284
+ // Pattern 5: ES6 shorthand property syntax { filter } where filter is user input variable
285
+ const shorthandMatch = trimmed.match(/\{\s*filter\s*[,}]/);
286
+ const hasShorthandFilter = shorthandMatch && userInputVariables.has('filter');
287
+ if (hasFilterTemplateLiteral || hasInlineFilterTemplate || hasFilterConcat || hasUserInputFilterVar || hasShorthandFilter) {
288
+ const userInputSource = hasShorthandFilter
289
+ ? `filter variable (line ${userInputVariables.get('filter')})`
290
+ : (hasUserInputFilterVar
291
+ ? `${filterVarName} (line ${userInputVariables.get(filterVarName)})`
292
+ : 'user input in filter');
293
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('ldap-injection', `LDAP Injection via filter construction with ${userInputSource}`, 'Use parameterized LDAP queries or escape LDAP special characters', lineNumber, 'LDAP queries constructed with unescaped user input allow attackers to manipulate the query logic by injecting LDAP filter operators like *, (, ), &, |, or !. This can bypass authentication, access unauthorized data, or enumerate directory information.', 'const filter = `(uid=${req.body.username})`; // Attack: username = "*)(uid=*))(|(uid=*" bypasses authentication and returns all users', [
294
+ 'Authentication bypass (login as any user)',
295
+ 'Unauthorized data access (read sensitive directory information)',
296
+ 'Directory enumeration (discover user accounts, groups)',
297
+ 'Privilege escalation (access admin accounts)',
298
+ 'Information disclosure (email addresses, phone numbers, organizational structure)'
299
+ ], 'const username = req.body.username;\nconst filter = `(uid=${username})`;\nclient.search(\'ou=users,dc=example,dc=com\', { filter }); // Vulnerable to LDAP injection', '// Option 1: Use LDAP escape function\nimport { escape } from \'ldap-escape\';\nconst username = req.body.username;\nconst filter = `(uid=${escape(username)})`; // Escapes special chars: * ( ) \\ NUL\nclient.search(\'ou=users,dc=example,dc=com\', { filter });\n\n// Option 2: Use parameterized queries if library supports\nconst filter = { uid: req.body.username }; // Some libraries support object filters', 'Never construct LDAP filters using string concatenation or template literals with user input. Use LDAP escape functions (ldap-escape npm package) to escape special characters: * ( ) \\ & | ! = < > ~ NUL. Alternatively, use parameterized query APIs if your LDAP library supports them. Validate user input against a whitelist of allowed characters.'));
300
+ }
301
+ }
302
+ // Detect LDAP filter variable assignments with user input
303
+ // Pattern: const filter = `(uid=${req.body.username})`;
304
+ if (trimmed.match(/(?:const|let|var)\s+\w+\s*=\s*`[^`]*\(uid=|\(cn=|\(mail=/)) {
305
+ const hasUserInput = trimmed.match(/\$\{[^}]*req\./) ||
306
+ Array.from(userInputVariables.keys()).some(varName => trimmed.includes('${' + varName));
307
+ if (hasUserInput) {
308
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('ldap-injection', 'LDAP Injection via filter template literal with user input', 'Use LDAP escape function (ldap-escape) for user input in filters', lineNumber, 'LDAP filters constructed with template literals containing user input are vulnerable to LDAP injection attacks. Attackers can inject filter operators to bypass authentication or access unauthorized data.', 'const filter = `(uid=${req.body.username})`; // Attack: username = "*)(uid=*))(|(uid=*" returns all users', [
309
+ 'Authentication bypass',
310
+ 'Unauthorized data access',
311
+ 'Directory enumeration',
312
+ 'Information disclosure'
313
+ ], 'const filter = `(uid=${req.body.username})`;', 'import { escape } from \'ldap-escape\';\nconst filter = `(uid=${escape(req.body.username)})`;', 'Always escape user input in LDAP filters using the ldap-escape npm package or equivalent LDAP escape function'));
314
+ }
315
+ }
316
+ });
317
+ return vulnerabilities;
318
+ }
319
+ //# sourceMappingURL=injection-attacks.js.map
package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAyBH,sDA6eC;AAngBD,sEAAqF;AAErF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,qBAAqB,CACnC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,6EAA6E;IAC7E,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,+BAA+B;IAErF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,6BAA6B;QAC7B,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,YAAY,EACZ,kDAAkD,EAClD,4CAA4C,EAC5C,UAAU,EACV,mJAAmJ,EACnJ,mFAAmF,EACnF;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,6BAA6B;gBAC7B,sBAAsB;aACvB,EACD,iCAAiC,EACjC,wDAAwD,EACxD,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,sBAAsB,EACtB,kEAAkE,EAClE,mDAAmD,EACnD,UAAU,EACV,4IAA4I,EAC5I,kEAAkE,EAClE;gBACE,gBAAgB;gBAChB,0BAA0B;gBAC1B,iCAAiC;gBACjC,2CAA2C;aAC5C,EACD,0CAA0C,EAC1C,iGAAiG,EACjG,oHAAoH,CACrH,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,EAAE,CAAC;YAC/E,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mBAAmB,EACnB,+EAA+E,EAC/E,wDAAwD,EACxD,UAAU,EACV,8HAA8H,EAC9H,4GAA4G,EAC5G;gBACE,qCAAqC;gBACrC,aAAa;gBACb,yCAAyC;aAC1C,EACD,kEAAkE,EAClE,wCAAwC,EACxC,0HAA0H,CAC3H,CAAC,CAAC;QACL,CAAC;QAED,8CAA8C;QAC9C,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,2CAA2C,EAC3C,gDAAgD,EAChD,UAAU,EACV,0JAA0J,EAC1J,mHAAmH,EACnH;gBACE,kCAAkC;gBAClC,+BAA+B;gBAC/B,kBAAkB;gBAClB,sBAAsB;gBACtB,YAAY;aACb,EACD,uDAAuD,EACvD,wHAAwH,EACxH,0FAA0F,CAC3F,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,2CAA2C,EAC3C,sBAAsB,EACtB,UAAU,EACV,6GAA6G,EAC7G,mFAAmF,EACnF;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,uDAAuD,EACvD,uGAAuG,EACvG,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,6BAA6B;QAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,wDAAwD,EACxD,uCAAuC,EACvC,UAAU,EACV,wGAAwG,EACxG,gDAAgD,EAChD;gBACE,mBAAmB;gBACnB,sCAAsC;gBACtC,mDAAmD;aACpD,EACD,2CAA2C,EAC3C,mGAAmG,EACnG,sEAAsE,CACvE,CAAC,CAAC;QACL,CAAC;QAED,4CAA4C;QAC5C,IAAI,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC;YACtD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,6CAA6C,EAC7C,oCAAoC,EACpC,UAAU,EACV,2GAA2G,EAC3G,iGAAiG,EACjG;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,uDAAuD,EACvD,+GAA+G,EAC/G,uFAAuF,CACxF,CAAC,CAAC;QACL,CAAC;QAED,mEAAmE;QACnE,8DAA8D;QAC9D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;YACxB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,mEAAmE,EACnE,2DAA2D,EAC3D,UAAU,EACV,oLAAoL,EACpL,qGAAqG,EACrG;gBACE,uBAAuB;gBACvB,kCAAkC;gBAClC,kBAAkB;gBAClB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,yCAAyC,EACzC,kKAAkK,EAClK,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,wDAAwD;QACxD,gFAAgF;QAEhF,0EAA0E;QAC1E,mEAAmE;QACnE,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAClH,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACvC,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC9C,CAAC;QAED,2CAA2C;QAC3C,sEAAsE;QACtE,2DAA2D;QAC3D,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,+HAA+H,CAAC,CAAC;QAExK,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,UAAU,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;YAEvC,qCAAqC;YACrC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,8IAA8I,CAAC,CAAC;YAEtL,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEvC,8BAA8B;gBAC9B,MAAM,kBAAkB,GACtB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;oBACzB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAC3B,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC1B,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9B,gCAAgC;gBAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAE9D,oDAAoD;gBACpD,MAAM,sBAAsB,GAAG,IAAI,CAAC,KAAK,CAAC,4CAA4C,CAAC;oBACvD,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAE1H,IAAI,kBAAkB,IAAI,oBAAoB,IAAI,sBAAsB,EAAE,CAAC;oBACzE,MAAM,eAAe,GAAG,kBAAkB;wBACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,UAAU;wBAChE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,QAAQ,UAAU,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;oBAE1G,uDAAuD;oBACvD,+EAA+E;oBAC/E,MAAM,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC;wBAC9D,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,sBAAsB,CAAC;oBAE1G,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAC3B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,WAAW,UAAU,yDAAyD,EAC9E,8DAA8D,EAC9D,UAAU,EACV,mOAAmO,eAAe,mCAAmC,EACrR,uJAAuJ,EACvJ;4BACE,yDAAyD;4BACzD,sDAAsD;4BACtD,0CAA0C;4BAC1C,8CAA8C;4BAC9C,iDAAiD;yBAClD,EACD,8DAA8D,UAAU,4DAA4D,EACpI,mQAAmQ,UAAU,iIAAiI,UAAU,mDAAmD,EAC3c,0QAA0Q,CAC3Q,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,iEAAiE;QACjE,oDAAoD;QACpD,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/F,2CAA2C;YAC3C,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC;gBAC5C,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAE5E,iCAAiC;YACjC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC;gBACvD,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAExE,IAAI,kBAAkB,IAAI,eAAe,EAAE,CAAC;gBAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,sDAAsD,EACtD,4EAA4E,EAC5E,UAAU,EACV,+RAA+R,EAC/R,6HAA6H,EAC7H;oBACE,iEAAiE;oBACjE,6CAA6C;oBAC7C,yDAAyD;oBACzD,gDAAgD;oBAChD,gDAAgD;iBACjD,EACD,kIAAkI,EAClI,sOAAsO,EACtO,4RAA4R,CAC7R,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8FAA8F;QAC9F,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,2DAA2D,EAC3D,kDAAkD,EAClD,UAAU,EACV,kMAAkM,EAClM,kFAAkF,EAClF;gBACE,kDAAkD;gBAClD,0BAA0B;gBAC1B,sBAAsB;gBACtB,mBAAmB;aACpB,EACD,6FAA6F,EAC7F,sIAAsI,EACtI,6KAA6K,CAC9K,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,2EAA2E;QAC3E,gFAAgF;QAEhF,uDAAuD;QACvD,4EAA4E;QAC5E,0DAA0D;QAC1D,MAAM,eAAe,GAAG;YACtB,oBAAoB;YACpB,aAAa;YACb,YAAY;YACZ,uBAAuB;YACvB,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,sCAAsC;gBACtC,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;gBACzE,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBAEjD,IAAI,WAAW,EAAE,CAAC;oBAChB,8BAA8B;oBAC9B,MAAM,kBAAkB,GACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;wBAC5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBAC9B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;oBAEjC,gCAAgC;oBAChC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;oBAC/F,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAE9D,6CAA6C;oBAC7C,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC;wBAC1B,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAE3I,IAAI,kBAAkB,IAAI,oBAAoB,IAAI,kBAAkB,EAAE,CAAC;wBACrE,MAAM,eAAe,GAAG,kBAAkB;4BACxC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC;4BACzE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,QAAQ,UAAU,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC;wBAE3G,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,MAAM,EACN,sCAAsC,MAAM,kCAAkC,EAC9E,kFAAkF,EAClF,UAAU,EACV,kJAAkJ,eAAe,4HAA4H,EAC7R,GAAG,MAAM,qJAAqJ,EAC9J;4BACE,6BAA6B;4BAC7B,0BAA0B;4BAC1B,qDAAqD;4BACrD,0CAA0C;4BAC1C,oCAAoC;4BACpC,oCAAoC;yBACrC,EACD,0DAA0D,MAAM,6CAA6C,EAC7G,wHAAwH,MAAM,sIAAsI,EACpQ,6PAA6P,CAC9P,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,gCAAgC;QAChC,2FAA2F;QAC3F,wDAAwD;QACxD,gFAAgF;QAEhF,gCAAgC;QAChC,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACpD,qDAAqD;YAErD,wDAAwD;YACxD,+CAA+C;YAC/C,MAAM,wBAAwB,GAAG,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC;gBAC1C,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAErH,kEAAkE;YAClE,6DAA6D;YAC7D,MAAM,uBAAuB,GAAG,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC;gBACvC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAEpH,4CAA4C;YAC5C,oDAAoD;YACpD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC;gBACpD,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAE5G,gDAAgD;YAChD,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChF,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxD,MAAM,qBAAqB,GAAG,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAEpE,0FAA0F;YAC1F,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC3D,MAAM,kBAAkB,GAAG,cAAc,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE9E,IAAI,wBAAwB,IAAI,uBAAuB,IAAI,eAAe,IAAI,qBAAqB,IAAI,kBAAkB,EAAE,CAAC;gBAC1H,MAAM,eAAe,GAAG,kBAAkB;oBACxC,CAAC,CAAC,yBAAyB,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG;oBAC9D,CAAC,CAAC,CAAC,qBAAqB;wBACtB,CAAC,CAAC,GAAG,aAAa,UAAU,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG;wBACpE,CAAC,CAAC,sBAAsB,CAAC,CAAC;gBAE9B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,+CAA+C,eAAe,EAAE,EAChE,kEAAkE,EAClE,UAAU,EACV,6PAA6P,EAC7P,uIAAuI,EACvI;oBACE,2CAA2C;oBAC3C,iEAAiE;oBACjE,wDAAwD;oBACxD,8CAA8C;oBAC9C,mFAAmF;iBACpF,EACD,sKAAsK,EACtK,wZAAwZ,EACxZ,4VAA4V,CAC7V,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,wDAAwD;QACxD,IAAI,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,EAAE,CAAC;YAC9E,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACnD,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC;YAE1D,IAAI,YAAY,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,4DAA4D,EAC5D,kEAAkE,EAClE,UAAU,EACV,6MAA6M,EAC7M,2GAA2G,EAC3G;oBACE,uBAAuB;oBACvB,0BAA0B;oBAC1B,uBAAuB;oBACvB,wBAAwB;iBACzB,EACD,8CAA8C,EAC9C,+FAA+F,EAC/F,+GAA+G,CAChH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts ADDED
@@ -0,0 +1,21 @@
1
+ /**
2
+ * TypeScript Logging and Monitoring Security Checks
3
+ * OWASP A09:2025 - Security Logging and Monitoring Failures
4
+ *
5
+ * Detects critical logging vulnerabilities:
6
+ * - Check #92: Missing audit logging for critical operations
7
+ * - Check #93: Sensitive data in logs
8
+ */
9
+ import { SecurityVulnerability } from '../../types';
10
+ /**
11
+ * Checks for logging and monitoring failures in TypeScript code
12
+ *
13
+ * Covers:
14
+ * - Check #92: Missing audit logging for critical operations (MEDIUM)
15
+ * - Check #93: Sensitive data logged (HIGH)
16
+ *
17
+ * @param lines - Array of code lines
18
+ * @returns Array of security vulnerabilities found
19
+ */
20
+ export declare function checkLoggingFailures(lines: string[]): SecurityVulnerability[];
21
+ //# sourceMappingURL=logging-failures.d.ts.map
package/dist/src/lib/analyzers/typescript/security-checks/logging-failures.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"logging-failures.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/logging-failures.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CA0IzB"}