codeslick-cli 1.1.6 → 1.2.0

package/dist/src/lib/analyzers/go/security-checks/ssrf-detection.js

@@ -0,0 +1,252 @@
+"use strict";
+/**
+ * Go SSRF (Server-Side Request Forgery) Detection
+ * OWASP A10:2025 - Server-Side Request Forgery (SSRF)
+ *
+ * Detects SSRF vulnerabilities where user-controlled input is used in
+ * HTTP requests, file operations, or other server-side requests.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkSSRF = checkSSRF;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for SSRF vulnerabilities
+ *
+ * Covers:
+ * - Check #1: User-controlled URLs in HTTP requests (HIGH)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkSSRF(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    // Track user input variables from HTTP requests
+    const userInputVars = new Set();
+    const taintedURLVars = new Set(); // Variables assigned with concatenated user input
+    // First pass: Identify user input sources
+    lines.forEach((line, index) => {
+        const trimmed = line.trim();
+        // HTTP request parameters (query, form, headers)
+        const paramMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*(?:r\.(?:URL\.Query\(\)\.Get|FormValue|PostFormValue|Header\.Get)|chi\.URLParam|mux\.Vars|c\.(?:Query|Param|GetHeader))\s*\(/i);
+        if (paramMatch) {
+            userInputVars.add(paramMatch[1]);
+        }
+        // HTTP request body
+        const bodyMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*(?:r\.Body|req\.Body|request\.Body)/i);
+        if (bodyMatch) {
+            userInputVars.add(bodyMatch[1]);
+        }
+        // JSON unmarshaling from request
+        const jsonMatch = trimmed.match(/json\.(?:Unmarshal|NewDecoder)\s*\([^)]*r\.Body/i);
+        if (jsonMatch) {
+            // Try to find the target variable
+            const varMatch = trimmed.match(/&(\w+)\s*\)/i);
+            if (varMatch) {
+                userInputVars.add(varMatch[1]);
+            }
+        }
+        // Track URL variables created by concatenating user input
+        // Example: url := "http://api.internal.com/" + endpoint
+        const urlConcatMatch = trimmed.match(/(\w+)\s*(?::=|=)\s*"[^"]*"\s*\+\s*(\w+)/i);
+        if (urlConcatMatch) {
+            const urlVar = urlConcatMatch[1];
+            const concatVar = urlConcatMatch[2];
+            if (userInputVars.has(concatVar)) {
+                taintedURLVars.add(urlVar);
+                userInputVars.add(urlVar); // Also track as direct user input
+            }
+        }
+        // Track variables created from user input via url.Parse
+        // Example: parsedURL, err := url.Parse(urlStr)
+        const urlParseMatch = trimmed.match(/(\w+)\s*,\s*\w+\s*:=\s*url\.Parse\s*\(\s*(\w+)/i);
+        if (urlParseMatch) {
+            const parsedVar = urlParseMatch[1];
+            const sourceVar = urlParseMatch[2];
+            if (userInputVars.has(sourceVar)) {
+                userInputVars.add(parsedVar); // Track parsedURL as user input
+                // Also track methods called on it (parsedURL.String())
+                userInputVars.add(`${parsedVar}.String()`);
+            }
+        }
+    });
+    // Second pass: Check for SSRF vulnerabilities
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1: User-Controlled URLs in HTTP Requests
+        // =============================================================================
+        // CVSS 8.0 - HIGH
+        // Detects HTTP requests where URLs are controlled by user input
+        // Detect HTTP request methods
+        const hasHTTPRequest = /(?:http|https)\.(?:Get|Post|Head|Put|Delete|NewRequest)\s*\(/i.test(trimmed);
+        if (hasHTTPRequest) {
+            // Check if any tracked user input is used in the URL
+            let usesUserInput = false;
+            let userInputVar = '';
+            for (const userVar of userInputVars) {
+                // Escape special regex characters in variable names
+                const escapedVar = userVar.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+                if (new RegExp(`\\b${escapedVar}`, 'i').test(trimmed)) {
+                    usesUserInput = true;
+                    userInputVar = userVar;
+                    break;
+                }
+            }
+            // Check for tainted URL variables (created with concatenation)
+            for (const urlVar of taintedURLVars) {
+                if (new RegExp(`\\b${urlVar}\\b`, 'i').test(trimmed)) {
+                    usesUserInput = true;
+                    userInputVar = urlVar;
+                    break;
+                }
+            }
+            // Also check for direct concatenation with request parameters
+            if (/\+\s*(?:r\.URL\.Query|r\.FormValue|r\.PostFormValue|chi\.URLParam|mux\.Vars|c\.Query|c\.Param)/i.test(trimmed)) {
+                usesUserInput = true;
+                userInputVar = 'request parameter';
+            }
+            // Check for URL string concatenation
+            if (/http\.Get\s*\([^)]*\+|http\.Post\s*\([^)]*\+|NewRequest\s*\([^)]*\+/i.test(trimmed)) {
+                usesUserInput = true;
+                userInputVar = 'concatenated value';
+            }
+            if (usesUserInput) {
+                // Look for URL validation/whitelisting in surrounding ±10 lines
+                let hasValidation = false;
+                let hasURLParsing = false;
+                let hasDomainCheck = false;
+                const startLine = Math.max(0, index - 15);
+                const endLine = Math.min(lines.length, index + 15);
+                for (let i = startLine; i < endLine; i++) {
+                    const contextLine = lines[i].trim();
+                    // Check for URL parsing
+                    if (/url\.Parse/i.test(contextLine)) {
+                        hasURLParsing = true;
+                    }
+                    // Check for domain validation (requires explicit domain checking)
+                    if (/\.Host\s*[!=]=|\.Hostname\s*[!=]=|allowed.*domains|trusted.*hosts|allowlist|whitelist/i.test(contextLine)) {
+                        hasDomainCheck = true;
+                    }
+                    // Check for immediate validation functions
+                    if (/isAllowed|validate.*url|check.*domain/i.test(contextLine)) {
+                        hasValidation = true;
+                        break;
+                    }
+                }
+                // Require both URL parsing AND domain checking for proper validation
+                if ((hasURLParsing && hasDomainCheck) || hasValidation) {
+                    hasValidation = true;
+                }
+                else {
+                    hasValidation = false;
+                }
+                if (!hasValidation) {
+                    vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                        category: 'go-ssrf',
+                        severity: 'high',
+                        confidence: 'high',
+                        message: `SSRF vulnerability: User-controlled input '${userInputVar}' used in HTTP request without validation`,
+                        line: lineNumber,
+                        suggestion: 'Validate and whitelist allowed URLs/domains before making HTTP requests',
+                        owasp: 'A10:2025 - Server-Side Request Forgery (SSRF)',
+                        cwe: 'CWE-918',
+                        pciDss: 'PCI DSS 6.5.10',
+                        remediation: {
+                            explanation: 'SSRF allows attackers to make the server perform requests to arbitrary URLs, potentially accessing internal services, cloud metadata endpoints (AWS EC2 metadata), or performing port scanning. Always validate and whitelist allowed domains.',
+                            before: `// UNSAFE\nfunc FetchURL(w http.ResponseWriter, r *http.Request) {\n    url := r.URL.Query().Get("url")\n    resp, _ := http.Get(url) // SSRF vulnerability!\n    io.Copy(w, resp.Body)\n}`,
+                            after: `// SAFE\nvar allowedDomains = []string{"api.example.com", "cdn.example.com"}\n\nfunc FetchURL(w http.ResponseWriter, r *http.Request) {\n    urlStr := r.URL.Query().Get("url")\n    \n    parsedURL, err := url.Parse(urlStr)\n    if err != nil {\n        http.Error(w, "Invalid URL", 400)\n        return\n    }\n    \n    // Validate domain against whitelist\n    allowed := false\n    for _, domain := range allowedDomains {\n        if parsedURL.Host == domain {\n            allowed = true\n            break\n        }\n    }\n    \n    if !allowed {\n        http.Error(w, "Domain not allowed", 403)\n        return\n    }\n    \n    resp, _ := http.Get(urlStr)\n    io.Copy(w, resp.Body)\n}`
+                        },
+                        attackVector: {
+                            description: 'SSRF allows attackers to make the server send requests to internal services (databases, admin panels), cloud metadata endpoints (AWS credentials), or scan internal networks. This bypasses firewalls and network segmentation.',
+                            exploitExample: `// Attacker requests:\nGET /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/\n// Server fetches AWS credentials and returns them\n\n// Or internal services:\nGET /fetch?url=http://localhost:6379/  (Redis)\nGET /fetch?url=http://admin.internal:8080/  (Admin panel)`,
+                            realWorldImpact: [
+                                'Access to cloud metadata endpoints (AWS, Azure, GCP credentials)',
+                                'Access to internal services bypassing firewalls',
+                                'Port scanning and network mapping of internal infrastructure',
+                                'Reading local files via file:// protocol',
+                                'Denial of Service by requesting large files',
+                                'Credential theft and privilege escalation'
+                            ]
+                        }
+                    }));
+                }
+            }
+        }
+        // Also check for net.Dial with user input (SSRF via arbitrary TCP connections)
+        const hasNetDial = /net\.Dial\s*\(/i.test(trimmed);
+        if (hasNetDial) {
+            let usesUserInput = false;
+            let userInputVar = '';
+            for (const userVar of userInputVars) {
+                // Escape special regex characters in variable names
+                const escapedVar = userVar.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+                if (new RegExp(`\\b${escapedVar}`, 'i').test(trimmed)) {
+                    usesUserInput = true;
+                    userInputVar = userVar;
+                    break;
+                }
+            }
+            if (/\+\s*(?:r\.URL\.Query|r\.FormValue|chi\.URLParam|c\.Query)/i.test(trimmed)) {
+                usesUserInput = true;
+                userInputVar = 'request parameter';
+            }
+            if (usesUserInput) {
+                // Look for validation in surrounding lines
+                let hasValidation = false;
+                const startLine = Math.max(0, index - 15);
+                const endLine = Math.min(lines.length, index + 15);
+                for (let i = startLine; i < endLine; i++) {
+                    const contextLine = lines[i].trim();
+                    if (/allowlist|whitelist|validate|isAllowed|allowed.*(?:addresses|hosts)/i.test(contextLine)) {
+                        hasValidation = true;
+                        break;
+                    }
+                }
+                if (!hasValidation) {
+                    vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                        category: 'go-ssrf',
+                        severity: 'high',
+                        confidence: 'high',
+                        message: `SSRF vulnerability: User-controlled input '${userInputVar}' used in net.Dial without validation`,
+                        line: lineNumber,
+                        suggestion: 'Validate and whitelist allowed hosts/ports before making network connections',
+                        owasp: 'A10:2025 - Server-Side Request Forgery (SSRF)',
+                        cwe: 'CWE-918',
+                        pciDss: 'PCI DSS 6.5.10',
+                        remediation: {
+                            explanation: 'Using user input in net.Dial allows attackers to connect to arbitrary internal services, scan ports, or access restricted resources.',
+                            before: `// UNSAFE\nhost := r.URL.Query().Get("host")\nconn, _ := net.Dial("tcp", host) // SSRF!`,
+                            after: `// SAFE\nallowedHosts := map[string]bool{\n    "api.example.com:443": true,\n}\nhost := r.URL.Query().Get("host")\nif !allowedHosts[host] {\n    return errors.New("host not allowed")\n}\nconn, _ := net.Dial("tcp", host)`
+                        },
+                        attackVector: {
+                            description: 'Arbitrary TCP connections allow attackers to scan internal networks, connect to databases, message queues, or other internal services.',
+                            exploitExample: `// Attacker scans internal network:\nfor port := 1; port <= 65535; port++ {\n    GET /connect?host=internal-db:port\n}\n// Identifies open ports and services`,
+                            realWorldImpact: [
+                                'Internal network port scanning',
+                                'Access to internal databases and services',
+                                'Bypassing firewall restrictions',
+                                'Information disclosure about internal infrastructure'
+                            ]
+                        }
+                    }));
+                }
+            }
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=ssrf-detection.js.map

package/dist/src/lib/analyzers/go/security-checks/ssrf-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-detection.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/ssrf-detection.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAcH,8BAmRC;AA9RD,sEAA6E;AAE7E;;;;;;;;GAQG;AACH,SAAgB,SAAS,CAAC,KAAe;IACvC,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,gDAAgD;IAChD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IACxC,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC,CAAC,kDAAkD;IAE5F,0CAA0C;IAC1C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,iDAAiD;QACjD,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAC9B,kJAAkJ,CACnJ,CAAC;QACF,IAAI,UAAU,EAAE,CAAC;YACf,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QACnC,CAAC;QAED,oBAAoB;QACpB,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QAC3F,IAAI,SAAS,EAAE,CAAC;YACd,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QAED,iCAAiC;QACjC,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACpF,IAAI,SAAS,EAAE,CAAC;YACd,kCAAkC;YAClC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;YAC/C,IAAI,QAAQ,EAAE,CAAC;gBACb,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,wDAAwD;QACxD,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACjF,IAAI,cAAc,EAAE,CAAC;YACnB,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YACjC,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,CAAC;YACpC,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;gBAC3B,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,kCAAkC;YAC/D,CAAC;QACH,CAAC;QAED,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,aAAa,GAAG,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACvF,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACnC,MAAM,SAAS,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;YACnC,IAAI,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,gCAAgC;gBAC9D,uDAAuD;gBACvD,aAAa,CAAC,GAAG,CAAC,GAAG,SAAS,WAAW,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,8CAA8C;IAC9C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,kDAAkD;QAClD,gFAAgF;QAChF,kBAAkB;QAClB,gEAAgE;QAEhE,8BAA8B;QAC9B,MAAM,cAAc,GAAG,+DAA+D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAErG,IAAI,cAAc,EAAE,CAAC;YACnB,qDAAqD;YACrD,IAAI,aAAa,GAAG,KAAK,CAAC;YAC1B,IAAI,YAAY,GAAG,EAAE,CAAC;YAEtB,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;gBACpC,oDAAoD;gBACpD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;gBAClE,IAAI,IAAI,MAAM,CAAC,MAAM,UAAU,EAAE,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,aAAa,GAAG,IAAI,CAAC;oBACrB,YAAY,GAAG,OAAO,CAAC;oBACvB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,+DAA+D;YAC/D,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;gBACpC,IAAI,IAAI,MAAM,CAAC,MAAM,MAAM,KAAK,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACrD,aAAa,GAAG,IAAI,CAAC;oBACrB,YAAY,GAAG,MAAM,CAAC;oBACtB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,8DAA8D;YAC9D,IACE,iGAAiG,CAAC,IAAI,CACpG,OAAO,CACR,EACD,CAAC;gBACD,aAAa,GAAG,IAAI,CAAC;gBACrB,YAAY,GAAG,mBAAmB,CAAC;YACrC,CAAC;YAED,qCAAqC;YACrC,IAAI,sEAAsE,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzF,aAAa,GAAG,IAAI,CAAC;gBACrB,YAAY,GAAG,oBAAoB,CAAC;YACtC,CAAC;YAED,IAAI,aAAa,EAAE,CAAC;gBAClB,gEAAgE;gBAChE,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,IAAI,cAAc,GAAG,KAAK,CAAC;gBAC3B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;gBAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;gBAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;oBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAEpC,wBAAwB;oBACxB,IAAI,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBACpC,aAAa,GAAG,IAAI,CAAC;oBACvB,CAAC;oBAED,kEAAkE;oBAClE,IAAI,wFAAwF,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC/G,cAAc,GAAG,IAAI,CAAC;oBACxB,CAAC;oBAED,2CAA2C;oBAC3C,IAAI,wCAAwC,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC/D,aAAa,GAAG,IAAI,CAAC;wBACrB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,qEAAqE;gBACrE,IAAI,CAAC,aAAa,IAAI,cAAc,CAAC,IAAI,aAAa,EAAE,CAAC;oBACvD,aAAa,GAAG,IAAI,CAAC;gBACvB,CAAC;qBAAM,CAAC;oBACN,aAAa,GAAG,KAAK,CAAC;gBACxB,CAAC;gBAED,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;wBAC5B,QAAQ,EAAE,SAAS;wBACnB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,MAAM;wBAClB,OAAO,EAAE,8CAA8C,YAAY,2CAA2C;wBAC9G,IAAI,EAAE,UAAU;wBAChB,UAAU,EAAE,yEAAyE;wBACrF,KAAK,EAAE,+CAA+C;wBACtD,GAAG,EAAE,SAAS;wBACd,MAAM,EAAE,gBAAgB;wBACxB,WAAW,EAAE;4BACX,WAAW,EACT,gPAAgP;4BAClP,MAAM,EAAE,4LAA4L;4BACpM,KAAK,EAAE,yrBAAyrB;yBACjsB;wBACD,YAAY,EAAE;4BACZ,WAAW,EACT,iOAAiO;4BACnO,cAAc,EAAE,oSAAoS;4BACpT,eAAe,EAAE;gCACf,kEAAkE;gCAClE,iDAAiD;gCACjD,8DAA8D;gCAC9D,0CAA0C;gCAC1C,6CAA6C;gCAC7C,2CAA2C;6BAC5C;yBACF;qBACF,CAAC,CACH,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,MAAM,UAAU,GAAG,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEnD,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,aAAa,GAAG,KAAK,CAAC;YAC1B,IAAI,YAAY,GAAG,EAAE,CAAC;YAEtB,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;gBACpC,oDAAoD;gBACpD,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;gBAClE,IAAI,IAAI,MAAM,CAAC,MAAM,UAAU,EAAE,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,aAAa,GAAG,IAAI,CAAC;oBACrB,YAAY,GAAG,OAAO,CAAC;oBACvB,MAAM;gBACR,CAAC;YACH,CAAC;YAED,IAAI,6DAA6D,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChF,aAAa,GAAG,IAAI,CAAC;gBACrB,YAAY,GAAG,mBAAmB,CAAC;YACrC,CAAC;YAED,IAAI,aAAa,EAAE,CAAC;gBAClB,2CAA2C;gBAC3C,IAAI,aAAa,GAAG,KAAK,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;gBAC1C,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;gBAEnD,KAAK,IAAI,CAAC,GAAG,SAAS,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;oBACzC,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBACpC,IAAI,sEAAsE,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;wBAC7F,aAAa,GAAG,IAAI,CAAC;wBACrB,MAAM;oBACR,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;wBAC5B,QAAQ,EAAE,SAAS;wBACnB,QAAQ,EAAE,MAAM;wBAChB,UAAU,EAAE,MAAM;wBAClB,OAAO,EAAE,8CAA8C,YAAY,uCAAuC;wBAC1G,IAAI,EAAE,UAAU;wBAChB,UAAU,EAAE,8EAA8E;wBAC1F,KAAK,EAAE,+CAA+C;wBACtD,GAAG,EAAE,SAAS;wBACd,MAAM,EAAE,gBAAgB;wBACxB,WAAW,EAAE;4BACX,WAAW,EACT,sIAAsI;4BACxI,MAAM,EAAE,yFAAyF;4BACjG,KAAK,EAAE,6NAA6N;yBACrO;wBACD,YAAY,EAAE;4BACZ,WAAW,EACT,wIAAwI;4BAC1I,cAAc,EAAE,+JAA+J;4BAC/K,eAAe,EAAE;gCACf,gCAAgC;gCAChC,2CAA2C;gCAC3C,iCAAiC;gCACjC,sDAAsD;6BACvD;yBACF;qBACF,CAAC,CACH,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/security-checks/tls-configuration.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Go TLS Configuration Security Checks
+ * OWASP A02:2025 - Cryptographic Failures, A05:2025 - Security Misconfiguration
+ *
+ * Detects insecure TLS/SSL configurations in Go code.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for insecure TLS/SSL configurations
+ *
+ * Covers:
+ * - Check #1: InsecureSkipVerify enabled (HIGH)
+ * - Check #2: Weak TLS versions (TLS 1.0/1.1) (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkTLSConfiguration(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=tls-configuration.d.ts.map

package/dist/src/lib/analyzers/go/security-checks/tls-configuration.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls-configuration.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/tls-configuration.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CA6G9E"}

package/dist/src/lib/analyzers/go/security-checks/tls-configuration.js

@@ -0,0 +1,112 @@
+"use strict";
+/**
+ * Go TLS Configuration Security Checks
+ * OWASP A02:2025 - Cryptographic Failures, A05:2025 - Security Misconfiguration
+ *
+ * Detects insecure TLS/SSL configurations in Go code.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkTLSConfiguration = checkTLSConfiguration;
+const createVulnerability_1 = require("../utils/createVulnerability");
+/**
+ * Checks for insecure TLS/SSL configurations
+ *
+ * Covers:
+ * - Check #1: InsecureSkipVerify enabled (HIGH)
+ * - Check #2: Weak TLS versions (TLS 1.0/1.1) (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+function checkTLSConfiguration(lines) {
+    const vulnerabilities = [];
+    let inMultiLineComment = false;
+    lines.forEach((line, index) => {
+        const lineNumber = index + 1;
+        const trimmed = line.trim();
+        // Track multi-line comments (/* ... */)
+        if (trimmed.includes('/*')) {
+            inMultiLineComment = true;
+        }
+        if (trimmed.includes('*/')) {
+            inMultiLineComment = false;
+            return;
+        }
+        // Skip comments and empty lines
+        if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
+            return;
+        }
+        // =============================================================================
+        // Check #1: InsecureSkipVerify Enabled
+        // =============================================================================
+        // CVSS 8.5 - HIGH
+        // Detects InsecureSkipVerify: true in TLS configuration
+        const hasInsecureSkipVerify = /InsecureSkipVerify\s*:\s*true/i.test(trimmed);
+        if (hasInsecureSkipVerify) {
+            vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                category: 'go-insecure-tls',
+                severity: 'high',
+                confidence: 'high',
+                message: 'TLS certificate verification disabled (InsecureSkipVerify: true)',
+                line: lineNumber,
+                suggestion: 'Set InsecureSkipVerify: false and use proper certificate validation',
+                owasp: 'A02:2025 - Cryptographic Failures',
+                cwe: 'CWE-295',
+                pciDss: 'PCI DSS 4.1',
+                remediation: {
+                    explanation: 'Disabling certificate verification allows man-in-the-middle attacks. An attacker can intercept HTTPS traffic and present a fake certificate. Always verify TLS certificates in production.',
+                    before: `tlsConfig := &tls.Config{\n    InsecureSkipVerify: true, // DANGEROUS!\n}`,
+                    after: `tlsConfig := &tls.Config{\n    InsecureSkipVerify: false,\n    MinVersion: tls.VersionTLS12,\n}`
+                },
+                attackVector: {
+                    description: 'When InsecureSkipVerify is true, attackers can perform man-in-the-middle attacks by presenting any certificate, including self-signed or expired certificates.',
+                    exploitExample: `// Vulnerable code:\ntlsConfig := &tls.Config{InsecureSkipVerify: true}\n// Attacker intercepts HTTPS traffic with fake certificate\n// Application accepts it without validation`,
+                    realWorldImpact: [
+                        'Man-in-the-middle attacks on HTTPS connections',
+                        'Credentials and sensitive data intercepted',
+                        'API keys and tokens stolen',
+                        'Session hijacking',
+                        'Compliance violations (PCI DSS, HIPAA, SOC 2)'
+                    ]
+                }
+            }));
+        }
+        // =============================================================================
+        // Check #2: Weak TLS Versions (TLS 1.0/1.1)
+        // =============================================================================
+        // CVSS 6.5 - MEDIUM
+        // Detects usage of deprecated TLS versions
+        const hasWeakTLSVersion = /tls\.VersionTLS10|tls\.VersionTLS11|MinVersion\s*:\s*tls\.VersionTLS1[01]\b/i.test(trimmed);
+        if (hasWeakTLSVersion) {
+            vulnerabilities.push((0, createVulnerability_1.createGoSecurityVulnerability)({
+                category: 'go-weak-tls-version',
+                severity: 'medium',
+                confidence: 'high',
+                message: 'Weak TLS version (TLS 1.0/1.1) - use TLS 1.2 or higher',
+                line: lineNumber,
+                suggestion: 'Use tls.VersionTLS12 or tls.VersionTLS13 as MinVersion',
+                owasp: 'A02:2025 - Cryptographic Failures',
+                cwe: 'CWE-327',
+                pciDss: 'PCI DSS 4.1',
+                remediation: {
+                    explanation: 'TLS 1.0 and 1.1 are deprecated and have known vulnerabilities (POODLE, BEAST). PCI DSS requires TLS 1.2+ since June 2018. Major browsers disabled TLS 1.0/1.1 in 2020.',
+                    before: `tlsConfig := &tls.Config{\n    MinVersion: tls.VersionTLS10, // Deprecated\n}`,
+                    after: `tlsConfig := &tls.Config{\n    MinVersion: tls.VersionTLS12, // PCI DSS compliant\n}`
+                },
+                attackVector: {
+                    description: 'TLS 1.0/1.1 are vulnerable to attacks like POODLE, BEAST, and others. Attackers can downgrade connections to exploit these weaknesses.',
+                    exploitExample: `// Weak TLS configuration:\nMinVersion: tls.VersionTLS10\n// Attacker forces downgrade to TLS 1.0\n// Exploits BEAST or POODLE vulnerability`,
+                    realWorldImpact: [
+                        'Protocol downgrade attacks',
+                        'Data decryption via POODLE/BEAST attacks',
+                        'PCI DSS compliance failures',
+                        'Browser warnings and connection failures',
+                        'Failed security audits'
+                    ]
+                }
+            }));
+        }
+    });
+    return vulnerabilities;
+}
+//# sourceMappingURL=tls-configuration.js.map

package/dist/src/lib/analyzers/go/security-checks/tls-configuration.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tls-configuration.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/tls-configuration.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAeH,sDA6GC;AAzHD,sEAA6E;AAE7E;;;;;;;;;GASG;AACH,SAAgB,qBAAqB,CAAC,KAAe;IACnD,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,wCAAwC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,uCAAuC;QACvC,gFAAgF;QAChF,kBAAkB;QAClB,wDAAwD;QAExD,MAAM,qBAAqB,GAAG,gCAAgC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE7E,IAAI,qBAAqB,EAAE,CAAC;YAC1B,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;gBAC5B,QAAQ,EAAE,iBAAiB;gBAC3B,QAAQ,EAAE,MAAM;gBAChB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,kEAAkE;gBAC3E,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,qEAAqE;gBACjF,KAAK,EAAE,mCAAmC;gBAC1C,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE;oBACX,WAAW,EACT,4LAA4L;oBAC9L,MAAM,EAAE,2EAA2E;oBACnF,KAAK,EAAE,iGAAiG;iBACzG;gBACD,YAAY,EAAE;oBACZ,WAAW,EACT,gKAAgK;oBAClK,cAAc,EAAE,mLAAmL;oBACnM,eAAe,EAAE;wBACf,gDAAgD;wBAChD,4CAA4C;wBAC5C,4BAA4B;wBAC5B,mBAAmB;wBACnB,+CAA+C;qBAChD;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,4CAA4C;QAC5C,gFAAgF;QAChF,oBAAoB;QACpB,2CAA2C;QAE3C,MAAM,iBAAiB,GACrB,8EAA8E,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE/F,IAAI,iBAAiB,EAAE,CAAC;YACtB,eAAe,CAAC,IAAI,CAClB,IAAA,mDAA6B,EAAC;gBAC5B,QAAQ,EAAE,qBAAqB;gBAC/B,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,wDAAwD;gBACjE,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,wDAAwD;gBACpE,KAAK,EAAE,mCAAmC;gBAC1C,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE;oBACX,WAAW,EACT,wKAAwK;oBAC1K,MAAM,EAAE,+EAA+E;oBACvF,KAAK,EAAE,sFAAsF;iBAC9F;gBACD,YAAY,EAAE;oBACZ,WAAW,EACT,wIAAwI;oBAC1I,cAAc,EAAE,8IAA8I;oBAC9J,eAAe,EAAE;wBACf,4BAA4B;wBAC5B,0CAA0C;wBAC1C,6BAA6B;wBAC7B,0CAA0C;wBAC1C,wBAAwB;qBACzB;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/go/security-checks/web-security.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Go Web Security Checks
+ * OWASP A05:2025 - Security Misconfiguration
+ *
+ * Detects missing security headers and information disclosure vulnerabilities
+ * in Go web applications.
+ */
+import { SecurityVulnerability } from '../../types';
+/**
+ * Checks for web security misconfigurations
+ *
+ * Covers:
+ * - Check #1: Missing X-Frame-Options header (MEDIUM)
+ * - Check #2: Missing HSTS header (MEDIUM)
+ * - Check #3: Missing Content-Security-Policy header (MEDIUM)
+ * - Check #4: Information disclosure via error messages (MEDIUM)
+ *
+ * @param lines - Array of code lines
+ * @returns Array of security vulnerabilities found
+ */
+export declare function checkWebSecurity(lines: string[]): SecurityVulnerability[];
+//# sourceMappingURL=web-security.d.ts.map

package/dist/src/lib/analyzers/go/security-checks/web-security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"web-security.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/go/security-checks/web-security.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,qBAAqB,EAAE,CAmQzE"}