codeslick-cli 1.2.0 → 1.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (103) hide show
  1. package/README.md +18 -19
  2. package/dist/packages/cli/src/reporters/cli-reporter.js +7 -7
  3. package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -1
  4. package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.d.ts +5 -2
  5. package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.d.ts.map +1 -1
  6. package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.js +61 -5
  7. package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.js.map +1 -1
  8. package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.d.ts +6 -4
  9. package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.d.ts.map +1 -1
  10. package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.js +97 -4
  11. package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.js.map +1 -1
  12. package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.d.ts +21 -0
  13. package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.d.ts.map +1 -0
  14. package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.js +114 -0
  15. package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.js.map +1 -0
  16. package/dist/src/lib/analyzers/go/security-checks/injection-attacks.d.ts +1 -0
  17. package/dist/src/lib/analyzers/go/security-checks/injection-attacks.d.ts.map +1 -1
  18. package/dist/src/lib/analyzers/go/security-checks/injection-attacks.js +48 -0
  19. package/dist/src/lib/analyzers/go/security-checks/injection-attacks.js.map +1 -1
  20. package/dist/src/lib/analyzers/go-analyzer.d.ts.map +1 -1
  21. package/dist/src/lib/analyzers/go-analyzer.js +3 -0
  22. package/dist/src/lib/analyzers/go-analyzer.js.map +1 -1
  23. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +226 -2
  24. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -1
  25. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +1108 -23
  26. package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -1
  27. package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -1
  28. package/dist/src/lib/analyzers/helpers/variable-tracker.js +6 -4
  29. package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -1
  30. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +2 -0
  31. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -1
  32. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +76 -12
  33. package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -1
  34. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +2 -0
  35. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -1
  36. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +99 -6
  37. package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -1
  38. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +1 -0
  39. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -1
  40. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +41 -3
  41. package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -1
  42. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +3 -2
  43. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -1
  44. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +82 -11
  45. package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -1
  46. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +3 -0
  47. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -1
  48. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +75 -0
  49. package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -1
  50. package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -1
  51. package/dist/src/lib/analyzers/javascript-analyzer.js +9 -2
  52. package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -1
  53. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +3 -2
  54. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -1
  55. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +113 -10
  56. package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -1
  57. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +2 -0
  58. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -1
  59. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +48 -0
  60. package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -1
  61. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +3 -0
  62. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -1
  63. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +84 -0
  64. package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -1
  65. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +4 -2
  66. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -1
  67. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +43 -3
  68. package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -1
  69. package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -1
  70. package/dist/src/lib/analyzers/python-analyzer.js +19 -3
  71. package/dist/src/lib/analyzers/python-analyzer.js.map +1 -1
  72. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +1 -1
  73. package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -1
  74. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +2 -2
  75. package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -1
  76. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +3 -3
  77. package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -1
  78. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -1
  79. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +8 -1
  80. package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -1
  81. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +2 -0
  82. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -1
  83. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +49 -0
  84. package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -1
  85. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +13 -11
  86. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -1
  87. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +79 -22
  88. package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -1
  89. package/dist/src/lib/analyzers/typescript/security-checks/type-safety.d.ts +24 -0
  90. package/dist/src/lib/analyzers/typescript/security-checks/type-safety.d.ts.map +1 -0
  91. package/dist/src/lib/analyzers/typescript/security-checks/type-safety.js +181 -0
  92. package/dist/src/lib/analyzers/typescript/security-checks/type-safety.js.map +1 -0
  93. package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -1
  94. package/dist/src/lib/analyzers/typescript-analyzer.js +3 -0
  95. package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -1
  96. package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -1
  97. package/dist/src/lib/security/compliance-mapping.js +19 -0
  98. package/dist/src/lib/security/compliance-mapping.js.map +1 -1
  99. package/dist/src/lib/security/severity-scoring.d.ts.map +1 -1
  100. package/dist/src/lib/security/severity-scoring.js +7 -0
  101. package/dist/src/lib/security/severity-scoring.js.map +1 -1
  102. package/package.json +1 -1
  103. package/src/reporters/cli-reporter.ts +7 -7
package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js CHANGED
@@ -13,17 +13,19 @@ const createVulnerability_1 = require("../utils/createVulnerability");
13
13
  *
14
14
  * Covers:
15
15
  * - Check #1: eval() usage (CRITICAL)
16
- * - Check #2: Function constructor (HIGH)
17
- * - Check #3: setTimeout/setInterval with strings (MEDIUM)
18
- * - Check #4: innerHTML with variables (HIGH) - XSS
19
- * - Check #5: outerHTML with variables (HIGH) - XSS
20
- * - Check #6: document.write (MEDIUM) - XSS
21
- * - Check #7: dangerouslySetInnerHTML (React) (HIGH) - XSS
22
- * - Check #8: res.send/res.write with HTML template literals (HIGH) - XSS
23
- * - Check #9: NoSQL Injection - MongoDB operator injection (CRITICAL) - Phase A P0
24
- * - Check #10: NoSQL Injection - MongoDB $where JavaScript injection (CRITICAL) - Phase A P0
25
- * - Check #11: SSTI - Server-Side Template Injection (CRITICAL) - Phase B
26
- * - Check #12: LDAP Injection (CRITICAL) - Phase B
16
+ * - Check #2: Command Injection - exec/execSync/spawn with user input (CRITICAL)
17
+ * - Check #3: Function constructor (HIGH)
18
+ * - Check #4: setTimeout/setInterval with strings (MEDIUM)
19
+ * - Check #5: innerHTML with variables (HIGH) - XSS
20
+ * - Check #6: outerHTML with variables (HIGH) - XSS
21
+ * - Check #7: document.write (MEDIUM) - XSS
22
+ * - Check #8: dangerouslySetInnerHTML (React) (HIGH) - XSS
23
+ * - Check #9: res.send/res.write with HTML template literals (HIGH) - XSS
24
+ * - Check #10: NoSQL Injection - MongoDB operator injection (CRITICAL) - Phase A P0
25
+ * - Check #11: NoSQL Injection - MongoDB $where JavaScript injection (CRITICAL) - Phase A P0
26
+ * - Check #12: SSTI - Server-Side Template Injection (CRITICAL) - Phase B
27
+ * - Check #13: LDAP Injection (CRITICAL) - Phase B
28
+ * - Check #14: Weak Validation Regex - credit cards, emails (MEDIUM)
27
29
  *
28
30
  * @param lines - Array of code lines
29
31
  * @returns Array of security vulnerabilities found
@@ -57,7 +59,37 @@ function checkInjectionAttacks(lines) {
57
59
  'Malware installation'
58
60
  ], 'const result = eval(userInput);', 'const result = JSON.parse(userInput); // For data only', 'Replace eval() with JSON.parse() for data parsing, or refactor code to avoid dynamic execution entirely'));
59
61
  }
60
- // 2. Function constructor - HIGH
62
+ // 2. Command Injection - CRITICAL
63
+ // Detects exec(), execSync(), spawn() with user-controlled input
64
+ if (trimmed.match(/\b(?:exec|execSync|execFile|execFileSync)\s*\(/)) {
65
+ // Check if command contains template literals or concatenation with variables
66
+ const hasTemplateLiteral = trimmed.match(/exec(?:Sync|File|FileSync)?\s*\(\s*`[^`]*\$\{/);
67
+ const hasStringConcat = trimmed.match(/exec(?:Sync|File|FileSync)?\s*\(\s*['"][^'"]*['"]?\s*\+/) ||
68
+ trimmed.match(/exec(?:Sync|File|FileSync)?\s*\(\s*.*\+\s*\w+/);
69
+ const hasVariableCmd = trimmed.match(/exec(?:Sync|File|FileSync)?\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*[,)]/);
70
+ // Check if variable was assigned from user input
71
+ let isUserControlled = false;
72
+ if (hasVariableCmd) {
73
+ const varMatch = trimmed.match(/exec(?:Sync|File|FileSync)?\s*\(\s*([a-zA-Z_$][a-zA-Z0-9_$]*)/);
74
+ if (varMatch) {
75
+ const varName = varMatch[1];
76
+ isUserControlled = userInputVariables.has(varName) ||
77
+ lines.slice(0, index).some(prevLine => prevLine.includes(`${varName}`) &&
78
+ (prevLine.includes('req.body') || prevLine.includes('req.query') || prevLine.includes('req.params') || prevLine.includes('${')));
79
+ }
80
+ }
81
+ if (hasTemplateLiteral || hasStringConcat || isUserControlled) {
82
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('command-injection', 'CRITICAL: Command Injection via exec() with user-controlled input', 'Use spawn() with arguments array or validate/sanitize input strictly', lineNumber, 'Executing shell commands with user-controlled input allows attackers to inject additional commands using shell metacharacters like ;, &&, ||, |, `, $(), etc. This leads to Remote Code Execution (RCE) with full server privileges.', 'exec(`process-payment --amount ${req.body.amount}`) // Attack: amount = "100; rm -rf /" deletes entire filesystem', [
83
+ 'Remote Code Execution (RCE)',
84
+ 'Complete server takeover',
85
+ 'Data theft and exfiltration',
86
+ 'Malware installation',
87
+ 'Denial of Service',
88
+ 'Privilege escalation'
89
+ ], 'const cmd = `process-payment --amount ${payment.amount} --currency ${payment.currency}`;\nexec(cmd);', '// Option 1: Use spawn() with arguments array (RECOMMENDED)\nimport { spawn } from \'child_process\';\nconst result = spawn(\'process-payment\', [\'--amount\', payment.amount, \'--currency\', payment.currency]);\n\n// Option 2: Strict validation (less safe)\nif (!/^[0-9.]+$/.test(payment.amount)) throw new Error(\'Invalid amount\');\nif (!/^[A-Z]{3}$/.test(payment.currency)) throw new Error(\'Invalid currency\');\nexec(`process-payment --amount ${payment.amount} --currency ${payment.currency}`);', 'Never use exec() with user input. Use spawn() or execFile() with arguments array instead, which prevents shell injection. If you must use exec(), validate input against strict whitelists (alphanumeric only, no special characters).'));
90
+ }
91
+ }
92
+ // 3. Function constructor - HIGH
61
93
  if (trimmed.match(/new\s+Function\s*\(/)) {
62
94
  vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('function-constructor', 'Function constructor similar to eval() - vulnerable to injection', 'Avoid creating functions dynamically from strings', lineNumber, 'The Function constructor creates functions from strings at runtime, allowing arbitrary code execution if the input is attacker-controlled.', 'new Function(userInput)() where userInput = "return process.env"', [
63
95
  'Code injection',
@@ -66,7 +98,7 @@ function checkInjectionAttacks(lines) {
66
98
  'Remote code execution in certain contexts'
67
99
  ], 'const fn = new Function(userCode); fn();', '// Refactor to avoid dynamic code generation\n// Use predefined functions or safer alternatives', 'Eliminate dynamic function creation. Use predefined functions, configuration objects, or refactor the architecture'));
68
100
  }
69
- // 3. setTimeout/setInterval with strings OR variables - MEDIUM
101
+ // 4. setTimeout/setInterval with strings OR variables - MEDIUM
70
102
  if (trimmed.match(/set(Timeout|Interval)\s*\(\s*['"]/) ||
71
103
  trimmed.match(/set(Timeout|Interval)\s*\(\s*[a-zA-Z_$][a-zA-Z0-9_$]*\s*,/)) {
72
104
  vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('settimeout-string', 'setTimeout/setInterval with string or code variable executes code like eval()', 'Use anonymous function: setTimeout(() => {...}, delay)', lineNumber, 'Passing a string or variable containing code to setTimeout/setInterval causes it to be evaluated as code, similar to eval().', 'setTimeout("alert(userInput)", 1000) or setTimeout(code, 1000) where code/userInput is attacker-controlled', [
@@ -76,7 +108,7 @@ function checkInjectionAttacks(lines) {
76
108
  ], 'setTimeout("doSomething()", 1000); // or setTimeout(code, 1000);', 'setTimeout(() => doSomething(), 1000);', 'Always pass a function reference or arrow function to setTimeout/setInterval, never a string or variable containing code'));
77
109
  }
78
110
  // OWASP A03:2021 - XSS (Cross-Site Scripting)
79
- // 4. innerHTML with variables - HIGH
111
+ // 5. innerHTML with variables - HIGH
80
112
  if (trimmed.match(/\.innerHTML\s*=/) && (trimmed.includes('+') || trimmed.includes('${'))) {
81
113
  vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'XSS: innerHTML with unsanitized variables', 'Use textContent, DOMPurify, or createElement()', lineNumber, 'An attacker can inject malicious JavaScript code through user input, stealing session cookies, credentials, or performing actions on behalf of the user.', 'element.innerHTML = "<div>" + userInput + "</div>" where userInput = "<img src=x onerror=alert(document.cookie)>"', [
82
114
  'Session hijacking (cookie theft)',
@@ -86,7 +118,7 @@ function checkInjectionAttacks(lines) {
86
118
  'Defacement'
87
119
  ], 'element.innerHTML = "<div>" + userContent + "</div>";', 'element.textContent = userContent; // Safe for plain text\n// Or: element.innerHTML = DOMPurify.sanitize(userContent);', 'Use textContent for plain text, or sanitize HTML with DOMPurify before setting innerHTML'));
88
120
  }
89
- // 5. outerHTML - HIGH
121
+ // 6. outerHTML - HIGH
90
122
  if (trimmed.match(/\.outerHTML\s*=/) && (trimmed.includes('+') || trimmed.includes('${'))) {
91
123
  vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'XSS: outerHTML with unsanitized variables', 'Use safe DOM methods', lineNumber, 'Setting outerHTML with user content allows XSS attacks by replacing the entire element with malicious HTML.', 'element.outerHTML = userHTML where userHTML contains <img src=x onerror=alert(1)>', [
92
124
  'Cross-site scripting (XSS)',
@@ -95,7 +127,7 @@ function checkInjectionAttacks(lines) {
95
127
  'Malware distribution'
96
128
  ], 'element.outerHTML = "<div>" + userContent + "</div>";', 'const div = document.createElement("div");\ndiv.textContent = userContent;\nelement.replaceWith(div);', 'Create elements using createElement() and set content with textContent, or sanitize HTML with DOMPurify'));
97
129
  }
98
- // 6. document.write - MEDIUM
130
+ // 7. document.write - MEDIUM
99
131
  if (trimmed.includes('document.write')) {
100
132
  vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('document-write', 'document.write is unsafe, deprecated and can cause XSS', 'Use createElement() and appendChild()', lineNumber, 'document.write() is synchronous, deprecated, and can be exploited for XSS if used with untrusted data.', 'document.write("<div>" + userInput + "</div>")', [
101
133
  'XSS vulnerability',
@@ -103,7 +135,7 @@ function checkInjectionAttacks(lines) {
103
135
  'Overwrites page content if called after page load'
104
136
  ], 'document.write("<h1>" + title + "</h1>");', 'const h1 = document.createElement("h1");\nh1.textContent = title;\ndocument.body.appendChild(h1);', 'Use modern DOM APIs: createElement(), textContent, and appendChild()'));
105
137
  }
106
- // 7. dangerouslySetInnerHTML (React) - HIGH
138
+ // 8. dangerouslySetInnerHTML (React) - HIGH
107
139
  if (trimmed.match(/dangerouslySetInnerHTML\s*=\s*{{/)) {
108
140
  vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('xss', 'React dangerouslySetInnerHTML can cause XSS', 'Sanitize with DOMPurify before use', lineNumber, 'Using dangerouslySetInnerHTML without sanitization allows XSS attacks through user-supplied HTML content.', '<div dangerouslySetInnerHTML={{__html: userInput}} /> where userInput contains malicious script', [
109
141
  'Cross-site scripting (XSS)',
@@ -112,7 +144,7 @@ function checkInjectionAttacks(lines) {
112
144
  'Malware distribution'
113
145
  ], '<div dangerouslySetInnerHTML={{__html: userInput}} />', 'import DOMPurify from "dompurify";\n<div dangerouslySetInnerHTML={{__html: DOMPurify.sanitize(userInput)}} />', 'Always sanitize HTML content with DOMPurify before passing to dangerouslySetInnerHTML'));
114
146
  }
115
- // 8. Express res.send/res.write with HTML template literals - HIGH
147
+ // 9. Express res.send/res.write with HTML template literals - HIGH
116
148
  // Detects: res.send(`<h1>Hello ${name}</h1>`) - Reflected XSS
117
149
  if (trimmed.match(/(res|response)\.(send|write)\s*\(/) &&
118
150
  trimmed.includes('`') &&
@@ -136,7 +168,7 @@ function checkInjectionAttacks(lines) {
136
168
  const varName = userInputAssignment[1];
137
169
  userInputVariables.set(varName, lineNumber);
138
170
  }
139
- // 9. MongoDB Operator Injection - CRITICAL
171
+ // 10. MongoDB Operator Injection - CRITICAL
140
172
  // Pattern: collection.find(req.body) or collection.findOne(userQuery)
141
173
  // Detects MongoDB query methods with user-controlled input
142
174
  const mongoMethodMatch = trimmed.match(/\.(find|findOne|findOneAndUpdate|update|updateOne|updateMany|delete|deleteOne|deleteMany|count|countDocuments|aggregate)\s*\(/);
@@ -177,7 +209,7 @@ function checkInjectionAttacks(lines) {
177
209
  }
178
210
  }
179
211
  }
180
- // 10. MongoDB $where JavaScript Injection - CRITICAL
212
+ // 11. MongoDB $where JavaScript Injection - CRITICAL
181
213
  // Pattern: collection.find({ "$where": `this.age > ${minAge}` })
182
214
  // Detects $where operator with string interpolation
183
215
  if (trimmed.includes('$where') || trimmed.includes('"$where"') || trimmed.includes("'$where'")) {
@@ -210,7 +242,7 @@ function checkInjectionAttacks(lines) {
210
242
  // =============================================================================
211
243
  // PHASE B - Server-Side Template Injection & LDAP Injection (Dec 20, 2025)
212
244
  // =============================================================================
213
- // 11. SSTI - Server-Side Template Injection - CRITICAL
245
+ // 12. SSTI - Server-Side Template Injection - CRITICAL
214
246
  // Pattern: Handlebars.compile(userInput), Pug.compile(), EJS.render(), etc.
215
247
  // Detects template compilation with user-controlled input
216
248
  const templateMethods = [
@@ -255,7 +287,7 @@ function checkInjectionAttacks(lines) {
255
287
  }
256
288
  }
257
289
  // =============================================================================
258
- // 12. LDAP Injection - CRITICAL
290
+ // 13. LDAP Injection - CRITICAL
259
291
  // Pattern: LDAP filter construction with user input via template literals or concatenation
260
292
  // Detects: client.search() with user-controlled filters
261
293
  // =============================================================================
@@ -313,6 +345,31 @@ function checkInjectionAttacks(lines) {
313
345
  ], 'const filter = `(uid=${req.body.username})`;', 'import { escape } from \'ldap-escape\';\nconst filter = `(uid=${escape(req.body.username)})`;', 'Always escape user input in LDAP filters using the ldap-escape npm package or equivalent LDAP escape function'));
314
346
  }
315
347
  }
348
+ // =============================================================================
349
+ // 14. Weak Validation Regex - MEDIUM
350
+ // Pattern: Overly simple regex for sensitive data (credit cards, emails, etc.)
351
+ // =============================================================================
352
+ // Detect weak credit card validation (only checks digits count, no Luhn)
353
+ if (trimmed.match(/\/\^\\d\{16\}\$\/\.test\(/)) {
354
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('weak-validation', 'Weak credit card validation - only checks 16 digits without Luhn algorithm', 'Implement proper Luhn algorithm validation or use a validated library', lineNumber, 'Validating credit card numbers by only checking for 16 digits is insufficient and allows invalid card numbers to pass. Real credit card validation requires the Luhn algorithm (modulo 10) check, which detects typos and invalid numbers. This can lead to failed transactions, poor user experience, and potential fraud.', '/^\\d{16}$/.test(cardNumber) // Accepts: 1111111111111111 (invalid) and 4532015112830366 (valid)', [
355
+ 'Acceptance of invalid credit card numbers',
356
+ 'Failed payment transactions',
357
+ 'Poor user experience (late validation failure)',
358
+ 'Potential fraud with obviously fake card numbers',
359
+ 'No detection of typos or data entry errors'
360
+ ], 'validateCard(cardNumber: string): boolean {\n return /^\\d{16}$/.test(cardNumber); // Only checks length\n}', '// Implement Luhn algorithm (modulo 10)\nfunction validateCard(cardNumber: string): boolean {\n if (!/^\\d{13,19}$/.test(cardNumber)) return false;\n \n let sum = 0;\n let isEven = false;\n \n for (let i = cardNumber.length - 1; i >= 0; i--) {\n let digit = parseInt(cardNumber[i]);\n if (isEven) {\n digit *= 2;\n if (digit > 9) digit -= 9;\n }\n sum += digit;\n isEven = !isEven;\n }\n \n return sum % 10 === 0;\n}\n// Or use library: import { validateCardNumber } from \'card-validator\';', 'Credit card validation must include the Luhn algorithm (modulo 10 checksum) to detect invalid numbers. Use established libraries like card-validator, validator.js, or implement the Luhn algorithm correctly. Also validate card type (Visa, MasterCard, etc.) and expiration date.'));
361
+ }
362
+ // Detect weak email validation (too simple regex)
363
+ if (trimmed.match(/\/\^[^@]+@[^@]+\.[^@]+\$\/\.test\(/) ||
364
+ trimmed.match(/\/\^[\\w.-]+@[\\w.-]+\\.[a-zA-Z]{2,}\$\/\.test\(/)) {
365
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)('weak-validation', 'Weak email validation - overly permissive regex allows invalid emails', 'Use RFC 5322 compliant validation or validator.js library', lineNumber, 'Simple email regex patterns allow invalid email addresses that will fail to receive emails. This leads to user registration failures, lost communications, and poor user experience. Proper email validation should follow RFC 5322 standards or use battle-tested libraries.', '/^[^@]+@[^@]+\\.[^@]+$/.test(email) // Accepts: "test@.com", "a@b.c", "user@@domain.com" (all invalid)', [
366
+ 'Acceptance of invalid email addresses',
367
+ 'Failed email delivery (bounce backs)',
368
+ 'Poor user experience',
369
+ 'Inability to reach users',
370
+ 'Wasted marketing/communication resources'
371
+ ], 'validateEmail(email: string): boolean {\n return /^[^@]+@[^@]+\\.[^@]+$/.test(email); // Too simple\n}', '// Option 1: Use validator.js (recommended)\nimport validator from \'validator\';\nfunction validateEmail(email: string): boolean {\n return validator.isEmail(email);\n}\n\n// Option 2: Use robust regex (RFC 5322 compliant)\nconst emailRegex = /^[a-zA-Z0-9.!#$%&\'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/;\nfunction validateEmail(email: string): boolean {\n return emailRegex.test(email);\n}', 'Use established email validation libraries (validator.js, email-validator) or RFC 5322 compliant regex patterns. Simple patterns like /^[^@]+@[^@]+\\.[^@]+$/ are insufficient and allow many invalid formats.'));
372
+ }
316
373
  });
317
374
  return vulnerabilities;
318
375
  }
package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAyBH,sDA6eC;AAngBD,sEAAqF;AAErF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,SAAgB,qBAAqB,CACnC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,6EAA6E;IAC7E,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,+BAA+B;IAErF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,6BAA6B;QAC7B,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,YAAY,EACZ,kDAAkD,EAClD,4CAA4C,EAC5C,UAAU,EACV,mJAAmJ,EACnJ,mFAAmF,EACnF;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,6BAA6B;gBAC7B,sBAAsB;aACvB,EACD,iCAAiC,EACjC,wDAAwD,EACxD,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,iCAAiC;QACjC,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,sBAAsB,EACtB,kEAAkE,EAClE,mDAAmD,EACnD,UAAU,EACV,4IAA4I,EAC5I,kEAAkE,EAClE;gBACE,gBAAgB;gBAChB,0BAA0B;gBAC1B,iCAAiC;gBACjC,2CAA2C;aAC5C,EACD,0CAA0C,EAC1C,iGAAiG,EACjG,oHAAoH,CACrH,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,EAAE,CAAC;YAC/E,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mBAAmB,EACnB,+EAA+E,EAC/E,wDAAwD,EACxD,UAAU,EACV,8HAA8H,EAC9H,4GAA4G,EAC5G;gBACE,qCAAqC;gBACrC,aAAa;gBACb,yCAAyC;aAC1C,EACD,kEAAkE,EAClE,wCAAwC,EACxC,0HAA0H,CAC3H,CAAC,CAAC;QACL,CAAC;QAED,8CAA8C;QAC9C,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,2CAA2C,EAC3C,gDAAgD,EAChD,UAAU,EACV,0JAA0J,EAC1J,mHAAmH,EACnH;gBACE,kCAAkC;gBAClC,+BAA+B;gBAC/B,kBAAkB;gBAClB,sBAAsB;gBACtB,YAAY;aACb,EACD,uDAAuD,EACvD,wHAAwH,EACxH,0FAA0F,CAC3F,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,2CAA2C,EAC3C,sBAAsB,EACtB,UAAU,EACV,6GAA6G,EAC7G,mFAAmF,EACnF;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,uDAAuD,EACvD,uGAAuG,EACvG,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,6BAA6B;QAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,wDAAwD,EACxD,uCAAuC,EACvC,UAAU,EACV,wGAAwG,EACxG,gDAAgD,EAChD;gBACE,mBAAmB;gBACnB,sCAAsC;gBACtC,mDAAmD;aACpD,EACD,2CAA2C,EAC3C,mGAAmG,EACnG,sEAAsE,CACvE,CAAC,CAAC;QACL,CAAC;QAED,4CAA4C;QAC5C,IAAI,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC;YACtD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,6CAA6C,EAC7C,oCAAoC,EACpC,UAAU,EACV,2GAA2G,EAC3G,iGAAiG,EACjG;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,uDAAuD,EACvD,+GAA+G,EAC/G,uFAAuF,CACxF,CAAC,CAAC;QACL,CAAC;QAED,mEAAmE;QACnE,8DAA8D;QAC9D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;YACxB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,mEAAmE,EACnE,2DAA2D,EAC3D,UAAU,EACV,oLAAoL,EACpL,qGAAqG,EACrG;gBACE,uBAAuB;gBACvB,kCAAkC;gBAClC,kBAAkB;gBAClB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,yCAAyC,EACzC,kKAAkK,EAClK,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,wDAAwD;QACxD,gFAAgF;QAEhF,0EAA0E;QAC1E,mEAAmE;QACnE,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAClH,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACvC,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC9C,CAAC;QAED,2CAA2C;QAC3C,sEAAsE;QACtE,2DAA2D;QAC3D,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,+HAA+H,CAAC,CAAC;QAExK,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,UAAU,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;YAEvC,qCAAqC;YACrC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,8IAA8I,CAAC,CAAC;YAEtL,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEvC,8BAA8B;gBAC9B,MAAM,kBAAkB,GACtB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;oBACzB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAC3B,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC1B,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9B,gCAAgC;gBAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAE9D,oDAAoD;gBACpD,MAAM,sBAAsB,GAAG,IAAI,CAAC,KAAK,CAAC,4CAA4C,CAAC;oBACvD,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAE1H,IAAI,kBAAkB,IAAI,oBAAoB,IAAI,sBAAsB,EAAE,CAAC;oBACzE,MAAM,eAAe,GAAG,kBAAkB;wBACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,UAAU;wBAChE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,QAAQ,UAAU,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;oBAE1G,uDAAuD;oBACvD,+EAA+E;oBAC/E,MAAM,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC;wBAC9D,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,sBAAsB,CAAC;oBAE1G,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAC3B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,WAAW,UAAU,yDAAyD,EAC9E,8DAA8D,EAC9D,UAAU,EACV,mOAAmO,eAAe,mCAAmC,EACrR,uJAAuJ,EACvJ;4BACE,yDAAyD;4BACzD,sDAAsD;4BACtD,0CAA0C;4BAC1C,8CAA8C;4BAC9C,iDAAiD;yBAClD,EACD,8DAA8D,UAAU,4DAA4D,EACpI,mQAAmQ,UAAU,iIAAiI,UAAU,mDAAmD,EAC3c,0QAA0Q,CAC3Q,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,iEAAiE;QACjE,oDAAoD;QACpD,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/F,2CAA2C;YAC3C,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC;gBAC5C,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAE5E,iCAAiC;YACjC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC;gBACvD,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAExE,IAAI,kBAAkB,IAAI,eAAe,EAAE,CAAC;gBAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,sDAAsD,EACtD,4EAA4E,EAC5E,UAAU,EACV,+RAA+R,EAC/R,6HAA6H,EAC7H;oBACE,iEAAiE;oBACjE,6CAA6C;oBAC7C,yDAAyD;oBACzD,gDAAgD;oBAChD,gDAAgD;iBACjD,EACD,kIAAkI,EAClI,sOAAsO,EACtO,4RAA4R,CAC7R,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8FAA8F;QAC9F,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,2DAA2D,EAC3D,kDAAkD,EAClD,UAAU,EACV,kMAAkM,EAClM,kFAAkF,EAClF;gBACE,kDAAkD;gBAClD,0BAA0B;gBAC1B,sBAAsB;gBACtB,mBAAmB;aACpB,EACD,6FAA6F,EAC7F,sIAAsI,EACtI,6KAA6K,CAC9K,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,2EAA2E;QAC3E,gFAAgF;QAEhF,uDAAuD;QACvD,4EAA4E;QAC5E,0DAA0D;QAC1D,MAAM,eAAe,GAAG;YACtB,oBAAoB;YACpB,aAAa;YACb,YAAY;YACZ,uBAAuB;YACvB,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,sCAAsC;gBACtC,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;gBACzE,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBAEjD,IAAI,WAAW,EAAE,CAAC;oBAChB,8BAA8B;oBAC9B,MAAM,kBAAkB,GACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;wBAC5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBAC9B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;oBAEjC,gCAAgC;oBAChC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;oBAC/F,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAE9D,6CAA6C;oBAC7C,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC;wBAC1B,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAE3I,IAAI,kBAAkB,IAAI,oBAAoB,IAAI,kBAAkB,EAAE,CAAC;wBACrE,MAAM,eAAe,GAAG,kBAAkB;4BACxC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC;4BACzE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,QAAQ,UAAU,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC;wBAE3G,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,MAAM,EACN,sCAAsC,MAAM,kCAAkC,EAC9E,kFAAkF,EAClF,UAAU,EACV,kJAAkJ,eAAe,4HAA4H,EAC7R,GAAG,MAAM,qJAAqJ,EAC9J;4BACE,6BAA6B;4BAC7B,0BAA0B;4BAC1B,qDAAqD;4BACrD,0CAA0C;4BAC1C,oCAAoC;4BACpC,oCAAoC;yBACrC,EACD,0DAA0D,MAAM,6CAA6C,EAC7G,wHAAwH,MAAM,sIAAsI,EACpQ,6PAA6P,CAC9P,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,gCAAgC;QAChC,2FAA2F;QAC3F,wDAAwD;QACxD,gFAAgF;QAEhF,gCAAgC;QAChC,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACpD,qDAAqD;YAErD,wDAAwD;YACxD,+CAA+C;YAC/C,MAAM,wBAAwB,GAAG,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC;gBAC1C,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAErH,kEAAkE;YAClE,6DAA6D;YAC7D,MAAM,uBAAuB,GAAG,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC;gBACvC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAEpH,4CAA4C;YAC5C,oDAAoD;YACpD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC;gBACpD,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAE5G,gDAAgD;YAChD,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChF,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxD,MAAM,qBAAqB,GAAG,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAEpE,0FAA0F;YAC1F,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC3D,MAAM,kBAAkB,GAAG,cAAc,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE9E,IAAI,wBAAwB,IAAI,uBAAuB,IAAI,eAAe,IAAI,qBAAqB,IAAI,kBAAkB,EAAE,CAAC;gBAC1H,MAAM,eAAe,GAAG,kBAAkB;oBACxC,CAAC,CAAC,yBAAyB,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG;oBAC9D,CAAC,CAAC,CAAC,qBAAqB;wBACtB,CAAC,CAAC,GAAG,aAAa,UAAU,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG;wBACpE,CAAC,CAAC,sBAAsB,CAAC,CAAC;gBAE9B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,+CAA+C,eAAe,EAAE,EAChE,kEAAkE,EAClE,UAAU,EACV,6PAA6P,EAC7P,uIAAuI,EACvI;oBACE,2CAA2C;oBAC3C,iEAAiE;oBACjE,wDAAwD;oBACxD,8CAA8C;oBAC9C,mFAAmF;iBACpF,EACD,sKAAsK,EACtK,wZAAwZ,EACxZ,4VAA4V,CAC7V,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,wDAAwD;QACxD,IAAI,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,EAAE,CAAC;YAC9E,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACnD,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC;YAE1D,IAAI,YAAY,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,4DAA4D,EAC5D,kEAAkE,EAClE,UAAU,EACV,6MAA6M,EAC7M,2GAA2G,EAC3G;oBACE,uBAAuB;oBACvB,0BAA0B;oBAC1B,uBAAuB;oBACvB,wBAAwB;iBACzB,EACD,8CAA8C,EAC9C,+FAA+F,EAC/F,+GAA+G,CAChH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
1
+ {"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AA2BH,sDA4kBC;AApmBD,sEAAqF;AAErF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,qBAAqB,CACnC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,6EAA6E;IAC7E,MAAM,kBAAkB,GAAG,IAAI,GAAG,EAAkB,CAAC,CAAC,+BAA+B;IAErF,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,8CAA8C;QAC9C,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO;QAElG,6BAA6B;QAC7B,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,YAAY,EACZ,kDAAkD,EAClD,4CAA4C,EAC5C,UAAU,EACV,mJAAmJ,EACnJ,mFAAmF,EACnF;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,6BAA6B;gBAC7B,sBAAsB;aACvB,EACD,iCAAiC,EACjC,wDAAwD,EACxD,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,kCAAkC;QAClC,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,EAAE,CAAC;YACpE,8EAA8E;YAC9E,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YAC1F,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC;gBACvE,OAAO,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC;YACxF,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;YAE3G,iDAAiD;YACjD,IAAI,gBAAgB,GAAG,KAAK,CAAC;YAC7B,IAAI,cAAc,EAAE,CAAC;gBACnB,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,+DAA+D,CAAC,CAAC;gBAChG,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;oBAC5B,gBAAgB,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC;wBAC/B,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CACpC,QAAQ,CAAC,QAAQ,CAAC,GAAG,OAAO,EAAE,CAAC;4BAC/B,CAAC,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBACxJ,CAAC;YACH,CAAC;YAED,IAAI,kBAAkB,IAAI,eAAe,IAAI,gBAAgB,EAAE,CAAC;gBAC9D,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mBAAmB,EACnB,mEAAmE,EACnE,sEAAsE,EACtE,UAAU,EACV,sOAAsO,EACtO,mHAAmH,EACnH;oBACE,6BAA6B;oBAC7B,0BAA0B;oBAC1B,6BAA6B;oBAC7B,sBAAsB;oBACtB,mBAAmB;oBACnB,sBAAsB;iBACvB,EACD,sGAAsG,EACtG,sfAAsf,EACtf,wOAAwO,CACzO,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,IAAI,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,EAAE,CAAC;YACzC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,sBAAsB,EACtB,kEAAkE,EAClE,mDAAmD,EACnD,UAAU,EACV,4IAA4I,EAC5I,kEAAkE,EAClE;gBACE,gBAAgB;gBAChB,0BAA0B;gBAC1B,iCAAiC;gBACjC,2CAA2C;aAC5C,EACD,0CAA0C,EAC1C,iGAAiG,EACjG,oHAAoH,CACrH,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,2DAA2D,CAAC,EAAE,CAAC;YAC/E,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,mBAAmB,EACnB,+EAA+E,EAC/E,wDAAwD,EACxD,UAAU,EACV,8HAA8H,EAC9H,4GAA4G,EAC5G;gBACE,qCAAqC;gBACrC,aAAa;gBACb,yCAAyC;aAC1C,EACD,kEAAkE,EAClE,wCAAwC,EACxC,0HAA0H,CAC3H,CAAC,CAAC;QACL,CAAC;QAED,8CAA8C;QAC9C,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,2CAA2C,EAC3C,gDAAgD,EAChD,UAAU,EACV,0JAA0J,EAC1J,mHAAmH,EACnH;gBACE,kCAAkC;gBAClC,+BAA+B;gBAC/B,kBAAkB;gBAClB,sBAAsB;gBACtB,YAAY;aACb,EACD,uDAAuD,EACvD,wHAAwH,EACxH,0FAA0F,CAC3F,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,IAAI,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC1F,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,2CAA2C,EAC3C,sBAAsB,EACtB,UAAU,EACV,6GAA6G,EAC7G,mFAAmF,EACnF;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,uDAAuD,EACvD,uGAAuG,EACvG,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,6BAA6B;QAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvC,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,wDAAwD,EACxD,uCAAuC,EACvC,UAAU,EACV,wGAAwG,EACxG,gDAAgD,EAChD;gBACE,mBAAmB;gBACnB,sCAAsC;gBACtC,mDAAmD;aACpD,EACD,2CAA2C,EAC3C,mGAAmG,EACnG,sEAAsE,CACvE,CAAC,CAAC;QACL,CAAC;QAED,4CAA4C;QAC5C,IAAI,OAAO,CAAC,KAAK,CAAC,kCAAkC,CAAC,EAAE,CAAC;YACtD,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,6CAA6C,EAC7C,oCAAoC,EACpC,UAAU,EACV,2GAA2G,EAC3G,iGAAiG,EACjG;gBACE,4BAA4B;gBAC5B,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,uDAAuD,EACvD,+GAA+G,EAC/G,uFAAuF,CACxF,CAAC,CAAC;QACL,CAAC;QAED,mEAAmE;QACnE,8DAA8D;QAC9D,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;YAClD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YACrB,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC;YACxB,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,KAAK,EACL,mEAAmE,EACnE,2DAA2D,EAC3D,UAAU,EACV,oLAAoL,EACpL,qGAAqG,EACrG;gBACE,uBAAuB;gBACvB,kCAAkC;gBAClC,kBAAkB;gBAClB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,yCAAyC,EACzC,kKAAkK,EAClK,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,wDAAwD;QACxD,gFAAgF;QAEhF,0EAA0E;QAC1E,mEAAmE;QACnE,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,sEAAsE,CAAC,CAAC;QAClH,IAAI,mBAAmB,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YACvC,kBAAkB,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;QAC9C,CAAC;QAED,4CAA4C;QAC5C,sEAAsE;QACtE,2DAA2D;QAC3D,MAAM,gBAAgB,GAAG,OAAO,CAAC,KAAK,CAAC,+HAA+H,CAAC,CAAC;QAExK,IAAI,gBAAgB,EAAE,CAAC;YACrB,MAAM,UAAU,GAAG,gBAAgB,CAAC,CAAC,CAAC,CAAC;YAEvC,qCAAqC;YACrC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,8IAA8I,CAAC,CAAC;YAEtL,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAEvC,8BAA8B;gBAC9B,MAAM,kBAAkB,GACtB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;oBACzB,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;oBAC3B,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;oBAC1B,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;gBAE9B,gCAAgC;gBAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC3C,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBAE9D,oDAAoD;gBACpD,MAAM,sBAAsB,GAAG,IAAI,CAAC,KAAK,CAAC,4CAA4C,CAAC;oBACvD,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;gBAE1H,IAAI,kBAAkB,IAAI,oBAAoB,IAAI,sBAAsB,EAAE,CAAC;oBACzE,MAAM,eAAe,GAAG,kBAAkB;wBACxC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,UAAU;wBAChE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,QAAQ,UAAU,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC;oBAE1G,uDAAuD;oBACvD,+EAA+E;oBAC/E,MAAM,qBAAqB,GAAG,IAAI,CAAC,KAAK,CAAC,mDAAmD,CAAC;wBAC9D,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,sBAAsB,CAAC;oBAE1G,IAAI,CAAC,qBAAqB,EAAE,CAAC;wBAC3B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,WAAW,UAAU,yDAAyD,EAC9E,8DAA8D,EAC9D,UAAU,EACV,mOAAmO,eAAe,mCAAmC,EACrR,uJAAuJ,EACvJ;4BACE,yDAAyD;4BACzD,sDAAsD;4BACtD,0CAA0C;4BAC1C,8CAA8C;4BAC9C,iDAAiD;yBAClD,EACD,8DAA8D,UAAU,4DAA4D,EACpI,mQAAmQ,UAAU,iIAAiI,UAAU,mDAAmD,EAC3c,0QAA0Q,CAC3Q,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,qDAAqD;QACrD,iEAAiE;QACjE,oDAAoD;QACpD,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YAC/F,2CAA2C;YAC3C,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC;gBAC5C,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAE5E,iCAAiC;YACjC,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,yCAAyC,CAAC;gBACvD,OAAO,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAExE,IAAI,kBAAkB,IAAI,eAAe,EAAE,CAAC;gBAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,sDAAsD,EACtD,4EAA4E,EAC5E,UAAU,EACV,+RAA+R,EAC/R,6HAA6H,EAC7H;oBACE,iEAAiE;oBACjE,6CAA6C;oBAC7C,yDAAyD;oBACzD,gDAAgD;oBAChD,gDAAgD;iBACjD,EACD,kIAAkI,EAClI,sOAAsO,EACtO,4RAA4R,CAC7R,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,8FAA8F;QAC9F,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,iDAAiD,CAAC,EAAE,CAAC;YACrE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,2DAA2D,EAC3D,kDAAkD,EAClD,UAAU,EACV,kMAAkM,EAClM,kFAAkF,EAClF;gBACE,kDAAkD;gBAClD,0BAA0B;gBAC1B,sBAAsB;gBACtB,mBAAmB;aACpB,EACD,6FAA6F,EAC7F,sIAAsI,EACtI,6KAA6K,CAC9K,CAAC,CAAC;QACL,CAAC;QAED,gFAAgF;QAChF,2EAA2E;QAC3E,gFAAgF;QAEhF,uDAAuD;QACvD,4EAA4E;QAC5E,0DAA0D;QAC1D,MAAM,eAAe,GAAG;YACtB,oBAAoB;YACpB,aAAa;YACb,YAAY;YACZ,uBAAuB;YACvB,YAAY;SACb,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC7B,sCAAsC;gBACtC,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;gBACzE,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;gBAEjD,IAAI,WAAW,EAAE,CAAC;oBAChB,8BAA8B;oBAC9B,MAAM,kBAAkB,GACtB,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;wBAC5B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;wBAC9B,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;wBAC7B,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;oBAEjC,gCAAgC;oBAChC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,MAAM,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;oBAC/F,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBACpD,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;oBAE9D,6CAA6C;oBAC7C,MAAM,kBAAkB,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC;wBAC1B,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAE3I,IAAI,kBAAkB,IAAI,oBAAoB,IAAI,kBAAkB,EAAE,CAAC;wBACrE,MAAM,eAAe,GAAG,kBAAkB;4BACxC,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC;4BACzE,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,GAAG,QAAQ,UAAU,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC;wBAE3G,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,MAAM,EACN,sCAAsC,MAAM,kCAAkC,EAC9E,kFAAkF,EAClF,UAAU,EACV,kJAAkJ,eAAe,4HAA4H,EAC7R,GAAG,MAAM,qJAAqJ,EAC9J;4BACE,6BAA6B;4BAC7B,0BAA0B;4BAC1B,qDAAqD;4BACrD,0CAA0C;4BAC1C,oCAAoC;4BACpC,oCAAoC;yBACrC,EACD,0DAA0D,MAAM,6CAA6C,EAC7G,wHAAwH,MAAM,sIAAsI,EACpQ,6PAA6P,CAC9P,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,gCAAgC;QAChC,2FAA2F;QAC3F,wDAAwD;QACxD,gFAAgF;QAEhF,gCAAgC;QAChC,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC;YACpD,qDAAqD;YAErD,wDAAwD;YACxD,+CAA+C;YAC/C,MAAM,wBAAwB,GAAG,OAAO,CAAC,KAAK,CAAC,4BAA4B,CAAC;gBAC1C,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAErH,kEAAkE;YAClE,6DAA6D;YAC7D,MAAM,uBAAuB,GAAG,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC;gBACvC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAEpH,4CAA4C;YAC5C,oDAAoD;YACpD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC;gBACpD,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;oBACxB,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAE5G,gDAAgD;YAChD,MAAM,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChF,MAAM,aAAa,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACxD,MAAM,qBAAqB,GAAG,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;YAEpE,0FAA0F;YAC1F,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;YAC3D,MAAM,kBAAkB,GAAG,cAAc,IAAI,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YAE9E,IAAI,wBAAwB,IAAI,uBAAuB,IAAI,eAAe,IAAI,qBAAqB,IAAI,kBAAkB,EAAE,CAAC;gBAC1H,MAAM,eAAe,GAAG,kBAAkB;oBACxC,CAAC,CAAC,yBAAyB,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG;oBAC9D,CAAC,CAAC,CAAC,qBAAqB;wBACtB,CAAC,CAAC,GAAG,aAAa,UAAU,kBAAkB,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG;wBACpE,CAAC,CAAC,sBAAsB,CAAC,CAAC;gBAE9B,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,+CAA+C,eAAe,EAAE,EAChE,kEAAkE,EAClE,UAAU,EACV,6PAA6P,EAC7P,uIAAuI,EACvI;oBACE,2CAA2C;oBAC3C,iEAAiE;oBACjE,wDAAwD;oBACxD,8CAA8C;oBAC9C,mFAAmF;iBACpF,EACD,sKAAsK,EACtK,wZAAwZ,EACxZ,4VAA4V,CAC7V,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,wDAAwD;QACxD,IAAI,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,EAAE,CAAC;YAC9E,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC;gBAC9B,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CACnD,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC;YAE1D,IAAI,YAAY,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,gBAAgB,EAChB,4DAA4D,EAC5D,kEAAkE,EAClE,UAAU,EACV,6MAA6M,EAC7M,2GAA2G,EAC3G;oBACE,uBAAuB;oBACvB,0BAA0B;oBAC1B,uBAAuB;oBACvB,wBAAwB;iBACzB,EACD,8CAA8C,EAC9C,+FAA+F,EAC/F,+GAA+G,CAChH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,gFAAgF;QAChF,qCAAqC;QACrC,+EAA+E;QAC/E,gFAAgF;QAEhF,yEAAyE;QACzE,IAAI,OAAO,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC;YAC/C,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,4EAA4E,EAC5E,uEAAuE,EACvE,UAAU,EACV,6TAA6T,EAC7T,kGAAkG,EAClG;gBACE,2CAA2C;gBAC3C,6BAA6B;gBAC7B,gDAAgD;gBAChD,kDAAkD;gBAClD,4CAA4C;aAC7C,EACD,8GAA8G,EAC9G,+gBAA+gB,EAC/gB,sRAAsR,CACvR,CAAC,CAAC;QACL,CAAC;QAED,kDAAkD;QAClD,IAAI,OAAO,CAAC,KAAK,CAAC,oCAAoC,CAAC;YACnD,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,EAAE,CAAC;YACtE,eAAe,CAAC,IAAI,CAAC,IAAA,2DAAqC,EACxD,iBAAiB,EACjB,uEAAuE,EACvE,2DAA2D,EAC3D,UAAU,EACV,+QAA+Q,EAC/Q,wGAAwG,EACxG;gBACE,uCAAuC;gBACvC,sCAAsC;gBACtC,sBAAsB;gBACtB,0BAA0B;gBAC1B,0CAA0C;aAC3C,EACD,yGAAyG,EACzG,ydAAyd,EACzd,gNAAgN,CACjN,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/typescript/security-checks/type-safety.d.ts ADDED
@@ -0,0 +1,24 @@
1
+ /**
2
+ * TypeScript Type Safety Security Checks
3
+ * OWASP A04:2025 - Insecure Design
4
+ *
5
+ * Detects common type mismatches that can lead to runtime errors and security vulnerabilities.
6
+ * These patterns are often generated by AI or result from misunderstanding JavaScript/TypeScript type system.
7
+ *
8
+ * Created: January 23, 2026
9
+ */
10
+ import { SecurityVulnerability } from '../../types';
11
+ /**
12
+ * Checks for type safety violations in TypeScript code
13
+ *
14
+ * Covers:
15
+ * - Check #1: .toFixed() assigned to number type (returns string)
16
+ * - Check #2: String operations assigned to number type
17
+ * - Check #3: Numeric operations assigned to string type
18
+ *
19
+ * @param lines - Array of code lines
20
+ * @param filename - Optional filename (to skip test files)
21
+ * @returns Array of security vulnerabilities found
22
+ */
23
+ export declare function checkTypeSafety(lines: string[], filename?: string): SecurityVulnerability[];
24
+ //# sourceMappingURL=type-safety.d.ts.map
package/dist/src/lib/analyzers/typescript/security-checks/type-safety.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"type-safety.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/type-safety.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,KAAK,EAAE,MAAM,EAAE,EACf,QAAQ,CAAC,EAAE,MAAM,GAChB,qBAAqB,EAAE,CAoLzB"}
package/dist/src/lib/analyzers/typescript/security-checks/type-safety.js ADDED
@@ -0,0 +1,181 @@
1
+ "use strict";
2
+ /**
3
+ * TypeScript Type Safety Security Checks
4
+ * OWASP A04:2025 - Insecure Design
5
+ *
6
+ * Detects common type mismatches that can lead to runtime errors and security vulnerabilities.
7
+ * These patterns are often generated by AI or result from misunderstanding JavaScript/TypeScript type system.
8
+ *
9
+ * Created: January 23, 2026
10
+ */
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.checkTypeSafety = checkTypeSafety;
13
+ const createVulnerability_1 = require("../utils/createVulnerability");
14
+ /**
15
+ * Checks for type safety violations in TypeScript code
16
+ *
17
+ * Covers:
18
+ * - Check #1: .toFixed() assigned to number type (returns string)
19
+ * - Check #2: String operations assigned to number type
20
+ * - Check #3: Numeric operations assigned to string type
21
+ *
22
+ * @param lines - Array of code lines
23
+ * @param filename - Optional filename (to skip test files)
24
+ * @returns Array of security vulnerabilities found
25
+ */
26
+ function checkTypeSafety(lines, filename) {
27
+ const vulnerabilities = [];
28
+ let inMultiLineComment = false;
29
+ // Skip test/spec files that intentionally demonstrate wrong patterns
30
+ const isTestFile = filename?.match(/\.(test|spec)\.(ts|tsx)$/i);
31
+ if (isTestFile) {
32
+ return [];
33
+ }
34
+ lines.forEach((line, index) => {
35
+ const lineNumber = index + 1;
36
+ const trimmed = line.trim();
37
+ // Track multi-line comments
38
+ if (trimmed.includes('/*'))
39
+ inMultiLineComment = true;
40
+ if (trimmed.includes('*/')) {
41
+ inMultiLineComment = false;
42
+ return;
43
+ }
44
+ // Skip comments and empty lines
45
+ if (!trimmed || inMultiLineComment || trimmed.startsWith('//')) {
46
+ return;
47
+ }
48
+ // =============================================================================
49
+ // Check #1: .toFixed() assigned to number type (MEDIUM severity)
50
+ // =============================================================================
51
+ // Pattern: const varName: number = expr.toFixed(...)
52
+ // Issue: .toFixed() returns string, not number
53
+ // Common in: Payment processing, financial calculations, currency formatting
54
+ const toFixedPattern = /(?:const|let|var)\s+(\w+)\s*:\s*number\s*=\s*[^;]*\.toFixed\s*\(/;
55
+ const toFixedMatch = trimmed.match(toFixedPattern);
56
+ if (toFixedMatch) {
57
+ const varName = toFixedMatch[1];
58
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)({
59
+ category: 'ts-type-mismatch-toFixed',
60
+ severity: 'medium',
61
+ confidence: 'high',
62
+ message: `Type mismatch: .toFixed() returns string, but assigned to number variable '${varName}'`,
63
+ line: lineNumber,
64
+ suggestion: 'Remove the : number type annotation, or use parseFloat() to convert back to number',
65
+ owasp: 'A04:2025 - Insecure Design',
66
+ cwe: 'CWE-843',
67
+ pciDss: 'PCI DSS 6.5',
68
+ remediation: {
69
+ explanation: '.toFixed() returns a string representation of a number with fixed decimal points. Assigning it to a number variable causes type confusion. ' +
70
+ 'In financial calculations, this can lead to incorrect arithmetic operations, payment processing errors, and potential fraud. ' +
71
+ 'Always use the correct type or explicitly convert back to number using parseFloat().',
72
+ before: `const amount: number = payment.amount.toFixed(2); // Type error!
73
+ const total = amount + tax; // String concatenation, not addition!`,
74
+ after: `// Option 1: Use string type (recommended for display)
75
+ const amountStr: string = payment.amount.toFixed(2);
76
+
77
+ // Option 2: Convert back to number (if needed for calculations)
78
+ const amount: number = parseFloat(payment.amount.toFixed(2));
79
+ const total = amount + tax; // Correct numeric addition`,
80
+ },
81
+ attackVector: {
82
+ description: 'Type confusion in financial calculations can lead to incorrect payment amounts, currency conversion errors, and potential fraud. ' +
83
+ 'String concatenation instead of numeric addition can result in wrong totals (e.g., "10.00" + "5.00" = "10.005.00" instead of 15.00).',
84
+ exploitExample: `// Vulnerable code:
85
+ const price: number = item.price.toFixed(2); // price = "19.99" (string!)
86
+ const tax: number = price * 0.1; // tax = NaN
87
+ const total = price + tax; // total = "19.99NaN"
88
+
89
+ // Attacker manipulates item.price to exploit type confusion
90
+ // Result: Incorrect payment amounts, failed transactions, or bypassed limits`,
91
+ realWorldImpact: [
92
+ 'Incorrect payment calculations in e-commerce',
93
+ 'Currency conversion errors in financial systems',
94
+ 'Tax calculation mistakes',
95
+ 'Failed payment validations (NaN comparisons always false)',
96
+ 'Potential for payment bypass or overcharge',
97
+ 'PCI-DSS compliance violations',
98
+ ],
99
+ },
100
+ }));
101
+ }
102
+ // =============================================================================
103
+ // Check #2: String methods assigned to number type
104
+ // =============================================================================
105
+ // Detects: const x: number = str.substring(...), str.slice(...), etc.
106
+ const stringMethodsPattern = /(?:const|let|var)\s+(\w+)\s*:\s*number\s*=\s*[^;]*\.(substring|slice|substr|trim|toLowerCase|toUpperCase|replace|split)\s*\(/;
107
+ const stringMethodMatch = trimmed.match(stringMethodsPattern);
108
+ if (stringMethodMatch) {
109
+ const varName = stringMethodMatch[1];
110
+ const method = stringMethodMatch[2];
111
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)({
112
+ category: 'ts-type-mismatch-string-method',
113
+ severity: 'medium',
114
+ confidence: 'high',
115
+ message: `Type mismatch: .${method}() returns string, but assigned to number variable '${varName}'`,
116
+ line: lineNumber,
117
+ suggestion: `Change type annotation to 'string' or remove it entirely`,
118
+ owasp: 'A04:2025 - Insecure Design',
119
+ cwe: 'CWE-843',
120
+ pciDss: 'PCI DSS 6.5',
121
+ remediation: {
122
+ explanation: `String methods like .${method}() always return strings. Assigning them to number variables causes type confusion and runtime errors.`,
123
+ before: `const id: number = userId.${method}(0, 5); // Type error!`,
124
+ after: `const id: string = userId.${method}(0, 5); // Correct type`,
125
+ },
126
+ attackVector: {
127
+ description: 'Type confusion can lead to logic errors in authentication, authorization, and data validation.',
128
+ exploitExample: `const userId: number = input.slice(0, 5); // Actually a string!
129
+ if (userId === 12345) { } // Always false, auth bypass`,
130
+ realWorldImpact: [
131
+ 'Authentication bypass due to failed comparisons',
132
+ 'Authorization errors',
133
+ 'Data validation failures',
134
+ 'NaN propagation in calculations',
135
+ ],
136
+ },
137
+ }));
138
+ }
139
+ // =============================================================================
140
+ // Check #3: Number operations assigned to string type
141
+ // =============================================================================
142
+ // Detects: const x: string = num1 + num2 (should be number)
143
+ const numericOpsPattern = /(?:const|let|var)\s+(\w+)\s*:\s*string\s*=\s*([a-zA-Z_]\w*)\s*[\+\-\*\/]\s*([a-zA-Z_]\w*)\s*;/;
144
+ const numericOpsMatch = trimmed.match(numericOpsPattern);
145
+ if (numericOpsMatch) {
146
+ const varName = numericOpsMatch[1];
147
+ // Skip if looks like template literal or string concatenation
148
+ if (trimmed.includes('`') || trimmed.includes('"') || trimmed.includes("'")) {
149
+ return;
150
+ }
151
+ vulnerabilities.push((0, createVulnerability_1.createTypeScriptSecurityVulnerability)({
152
+ category: 'ts-type-mismatch-numeric-ops',
153
+ severity: 'low',
154
+ confidence: 'medium',
155
+ message: `Potential type mismatch: Numeric operation assigned to string variable '${varName}'`,
156
+ line: lineNumber,
157
+ suggestion: 'Verify if this should be number type instead of string',
158
+ owasp: 'A04:2025 - Insecure Design',
159
+ cwe: 'CWE-843',
160
+ pciDss: 'PCI DSS 6.5',
161
+ remediation: {
162
+ explanation: 'Assigning numeric calculations to string variables may indicate type confusion. Verify the intended type.',
163
+ before: `const total: string = price + tax; // Confusing!`,
164
+ after: `const total: number = price + tax; // Clear intent`,
165
+ },
166
+ attackVector: {
167
+ description: 'Type confusion in calculations can lead to logic errors and security vulnerabilities.',
168
+ exploitExample: `const discount: string = price - 10; // Type confusion
169
+ // Later comparisons or operations may fail`,
170
+ realWorldImpact: [
171
+ 'Logic errors in business calculations',
172
+ 'Failed validations',
173
+ 'Type coercion vulnerabilities',
174
+ ],
175
+ },
176
+ }));
177
+ }
178
+ });
179
+ return vulnerabilities;
180
+ }
181
+ //# sourceMappingURL=type-safety.js.map
package/dist/src/lib/analyzers/typescript/security-checks/type-safety.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"type-safety.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/typescript/security-checks/type-safety.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;AAiBH,0CAuLC;AArMD,sEAAqF;AAErF;;;;;;;;;;;GAWG;AACH,SAAgB,eAAe,CAC7B,KAAe,EACf,QAAiB;IAEjB,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,qEAAqE;IACrE,MAAM,UAAU,GAAG,QAAQ,EAAE,KAAK,CAAC,2BAA2B,CAAC,CAAC;IAChE,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,4BAA4B;QAC5B,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC;YAAE,kBAAkB,GAAG,IAAI,CAAC;QACtD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,kBAAkB,GAAG,KAAK,CAAC;YAC3B,OAAO;QACT,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC/D,OAAO;QACT,CAAC;QAED,gFAAgF;QAChF,iEAAiE;QACjE,gFAAgF;QAChF,qDAAqD;QACrD,+CAA+C;QAC/C,6EAA6E;QAE7E,MAAM,cAAc,GAAG,kEAAkE,CAAC;QAC1F,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QAEnD,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAEhC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EAAC;gBACpC,QAAQ,EAAE,0BAA0B;gBACpC,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,8EAA8E,OAAO,GAAG;gBACjG,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,oFAAoF;gBAChG,KAAK,EAAE,4BAA4B;gBACnC,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE;oBACX,WAAW,EACT,6IAA6I;wBAC7I,+HAA+H;wBAC/H,sFAAsF;oBACxF,MAAM,EAAE;mEAC+C;oBACvD,KAAK,EAAE;;;;;wDAKqC;iBAC7C;gBACD,YAAY,EAAE;oBACZ,WAAW,EACT,mIAAmI;wBACnI,sIAAsI;oBACxI,cAAc,EAAE;;;;;;8EAMkD;oBAClE,eAAe,EAAE;wBACf,8CAA8C;wBAC9C,iDAAiD;wBACjD,0BAA0B;wBAC1B,2DAA2D;wBAC3D,4CAA4C;wBAC5C,+BAA+B;qBAChC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,mDAAmD;QACnD,gFAAgF;QAChF,sEAAsE;QAEtE,MAAM,oBAAoB,GACxB,8HAA8H,CAAC;QACjI,MAAM,iBAAiB,GAAG,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAC;QAE9D,IAAI,iBAAiB,EAAE,CAAC;YACtB,MAAM,OAAO,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;YACrC,MAAM,MAAM,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;YAEpC,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EAAC;gBACpC,QAAQ,EAAE,gCAAgC;gBAC1C,QAAQ,EAAE,QAAQ;gBAClB,UAAU,EAAE,MAAM;gBAClB,OAAO,EAAE,mBAAmB,MAAM,uDAAuD,OAAO,GAAG;gBACnG,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,0DAA0D;gBACtE,KAAK,EAAE,4BAA4B;gBACnC,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE;oBACX,WAAW,EAAE,wBAAwB,MAAM,wGAAwG;oBACnJ,MAAM,EAAE,6BAA6B,MAAM,wBAAwB;oBACnE,KAAK,EAAE,6BAA6B,MAAM,yBAAyB;iBACpE;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,gGAAgG;oBAC7G,cAAc,EAAE;uDAC2B;oBAC3C,eAAe,EAAE;wBACf,iDAAiD;wBACjD,sBAAsB;wBACtB,0BAA0B;wBAC1B,iCAAiC;qBAClC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;QAED,gFAAgF;QAChF,sDAAsD;QACtD,gFAAgF;QAChF,4DAA4D;QAE5D,MAAM,iBAAiB,GAAG,+FAA+F,CAAC;QAC1H,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAEzD,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAEnC,8DAA8D;YAC9D,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5E,OAAO;YACT,CAAC;YAED,eAAe,CAAC,IAAI,CAClB,IAAA,2DAAqC,EAAC;gBACpC,QAAQ,EAAE,8BAA8B;gBACxC,QAAQ,EAAE,KAAK;gBACf,UAAU,EAAE,QAAQ;gBACpB,OAAO,EAAE,2EAA2E,OAAO,GAAG;gBAC9F,IAAI,EAAE,UAAU;gBAChB,UAAU,EAAE,wDAAwD;gBACpE,KAAK,EAAE,4BAA4B;gBACnC,GAAG,EAAE,SAAS;gBACd,MAAM,EAAE,aAAa;gBACrB,WAAW,EAAE;oBACX,WAAW,EAAE,2GAA2G;oBACxH,MAAM,EAAE,kDAAkD;oBAC1D,KAAK,EAAE,oDAAoD;iBAC5D;gBACD,YAAY,EAAE;oBACZ,WAAW,EAAE,uFAAuF;oBACpG,cAAc,EAAE;4CACgB;oBAChC,eAAe,EAAE;wBACf,uCAAuC;wBACvC,oBAAoB;wBACpB,+BAA+B;qBAChC;iBACF;aACF,CAAC,CACH,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"typescript-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/typescript-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAuB7C,qBAAa,kBAAmB,YAAW,aAAa;IACtD,SAAgB,QAAQ,EAAE,iBAAiB,CAAgB;IAE3D;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAgDtB,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAmCtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBpD,eAAe;;;;;IAQf,OAAO,CAAC,aAAa;IAmCrB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+JxB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAwH5B;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAgCnC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAkD3B;;OAEG;IACH,OAAO,CAAC,6BAA6B;IA2DrC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiEhC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA0E1B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAmC7B;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAkDpC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAsDlC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA6C5B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+C/B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0D/B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAiDjC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAiFnC,OAAO,CAAC,mBAAmB;IA2K3B,OAAO,CAAC,cAAc;IAwCtB,OAAO,CAAC,kBAAkB;IAwB1B,OAAO,CAAC,eAAe;IAmFvB;;;;;OAKG;IACH,OAAO,CAAC,0BAA0B;IAkDlC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,0BAA0B;IA2IlC,OAAO,CAAC,gBAAgB;CAqBzB"}
1
+ {"version":3,"file":"typescript-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/typescript-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAwB7C,qBAAa,kBAAmB,YAAW,aAAa;IACtD,SAAgB,QAAQ,EAAE,iBAAiB,CAAgB;IAE3D;;;;;;;OAOG;IACH,OAAO,CAAC,oBAAoB;IAgDtB,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAsCtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBpD,eAAe;;;;;IAQf,OAAO,CAAC,aAAa;IAmCrB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+JxB;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAwH5B;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAgCnC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAkD3B;;OAEG;IACH,OAAO,CAAC,6BAA6B;IA2DrC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IA8DlC;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAiEhC;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA0E1B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAmC7B;;OAEG;IACH,OAAO,CAAC,4BAA4B;IAkDpC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAsDlC;;OAEG;IACH,OAAO,CAAC,oBAAoB;IA6C5B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA+C/B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0D/B;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAiDjC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IAiFnC,OAAO,CAAC,mBAAmB;IA2K3B,OAAO,CAAC,cAAc;IAwCtB,OAAO,CAAC,kBAAkB;IAwB1B,OAAO,CAAC,eAAe;IAmFvB;;;;;OAKG;IACH,OAAO,CAAC,0BAA0B;IAkDlC;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,0BAA0B;IA2IlC,OAAO,CAAC,gBAAgB;CAqBzB"}
package/dist/src/lib/analyzers/typescript-analyzer.js CHANGED
@@ -18,6 +18,7 @@ const authentication_1 = require("./typescript/security-checks/authentication");
18
18
  const logging_failures_1 = require("./typescript/security-checks/logging-failures");
19
19
  const secrets_analyzer_1 = require("./secrets/secrets-analyzer");
20
20
  const ai_generated_code_1 = require("./typescript/security-checks/ai-generated-code");
21
+ const type_safety_1 = require("./typescript/security-checks/type-safety");
21
22
  // TypeScript Compiler API Integration (2025-12-02)
22
23
  const type_checker_1 = require("./typescript/type-checker");
23
24
  class TypeScriptAnalyzer {
@@ -99,6 +100,8 @@ class TypeScriptAnalyzer {
99
100
  // AI-Generated Code Detection (Phase 1.5, Week 5-7)
100
101
  const lines = input.code.split('\n');
101
102
  result.security.vulnerabilities.push(...(0, ai_generated_code_1.checkAIGeneratedCode)(lines, input.filename));
103
+ // Type Safety Detection - Common type mismatches (Jan 23, 2026)
104
+ result.security.vulnerabilities.push(...(0, type_safety_1.checkTypeSafety)(lines, input.filename));
102
105
  }
103
106
  catch (error) {
104
107
  const errorMessage = error instanceof Error ? error.message : 'Unknown error';