codeslick-cli 1.2.0 → 1.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -19
- package/dist/packages/cli/src/reporters/cli-reporter.js +7 -7
- package/dist/packages/cli/src/reporters/cli-reporter.js.map +1 -1
- package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.d.ts +5 -2
- package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.js +61 -5
- package/dist/src/lib/analyzers/go/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.d.ts +6 -4
- package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.d.ts.map +1 -1
- package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.js +97 -4
- package/dist/src/lib/analyzers/go/security-checks/credentials-crypto.js.map +1 -1
- package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.d.ts +21 -0
- package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.d.ts.map +1 -0
- package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.js +114 -0
- package/dist/src/lib/analyzers/go/security-checks/enhanced-supply-chain.js.map +1 -0
- package/dist/src/lib/analyzers/go/security-checks/injection-attacks.d.ts +1 -0
- package/dist/src/lib/analyzers/go/security-checks/injection-attacks.d.ts.map +1 -1
- package/dist/src/lib/analyzers/go/security-checks/injection-attacks.js +48 -0
- package/dist/src/lib/analyzers/go/security-checks/injection-attacks.js.map +1 -1
- package/dist/src/lib/analyzers/go-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/go-analyzer.js +3 -0
- package/dist/src/lib/analyzers/go-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts +226 -2
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.d.ts.map +1 -1
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js +1108 -23
- package/dist/src/lib/analyzers/helpers/ai-code-detection-utils.js.map +1 -1
- package/dist/src/lib/analyzers/helpers/variable-tracker.d.ts.map +1 -1
- package/dist/src/lib/analyzers/helpers/variable-tracker.js +6 -4
- package/dist/src/lib/analyzers/helpers/variable-tracker.js.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts +2 -0
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js +76 -12
- package/dist/src/lib/analyzers/java/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts +2 -0
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.d.ts.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js +99 -6
- package/dist/src/lib/analyzers/java/security-checks/enhanced-supply-chain.js.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts +1 -0
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.d.ts.map +1 -1
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js +41 -3
- package/dist/src/lib/analyzers/java/security-checks/injection-attacks.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts +3 -2
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js +82 -11
- package/dist/src/lib/analyzers/javascript/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts +3 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js +75 -0
- package/dist/src/lib/analyzers/javascript/security-checks/enhanced-supply-chain.js.map +1 -1
- package/dist/src/lib/analyzers/javascript-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/javascript-analyzer.js +9 -2
- package/dist/src/lib/analyzers/javascript-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts +3 -2
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js +113 -10
- package/dist/src/lib/analyzers/python/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts +2 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js +48 -0
- package/dist/src/lib/analyzers/python/security-checks/credentials-crypto.js.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts +3 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js +84 -0
- package/dist/src/lib/analyzers/python/security-checks/enhanced-supply-chain.js.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts +4 -2
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js +43 -3
- package/dist/src/lib/analyzers/python/security-checks/injection-attacks.js.map +1 -1
- package/dist/src/lib/analyzers/python-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/python-analyzer.js +19 -3
- package/dist/src/lib/analyzers/python-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/aws.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js +2 -2
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/communication.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js +3 -3
- package/dist/src/lib/analyzers/secrets/patterns/api-keys/github.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js +8 -1
- package/dist/src/lib/analyzers/typescript/security-checks/ai-generated-code.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts +2 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js +49 -0
- package/dist/src/lib/analyzers/typescript/security-checks/enhanced-supply-chain.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts +13 -11
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js +79 -22
- package/dist/src/lib/analyzers/typescript/security-checks/injection-attacks.js.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/type-safety.d.ts +24 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-safety.d.ts.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-safety.js +181 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-safety.js.map +1 -0
- package/dist/src/lib/analyzers/typescript-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript-analyzer.js +3 -0
- package/dist/src/lib/analyzers/typescript-analyzer.js.map +1 -1
- package/dist/src/lib/security/compliance-mapping.d.ts.map +1 -1
- package/dist/src/lib/security/compliance-mapping.js +19 -0
- package/dist/src/lib/security/compliance-mapping.js.map +1 -1
- package/dist/src/lib/security/severity-scoring.d.ts.map +1 -1
- package/dist/src/lib/security/severity-scoring.js +7 -0
- package/dist/src/lib/security/severity-scoring.js.map +1 -1
- package/package.json +1 -1
- package/src/reporters/cli-reporter.ts +7 -7
|
@@ -17,6 +17,8 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
17
17
|
* - Pattern 1: Simple assignment (API_KEY = "...")
|
|
18
18
|
* - Pattern 2: Dictionary values ('password': '...')
|
|
19
19
|
* - Pattern 3: Flask secret_key (app.secret_key = '...')
|
|
20
|
+
* - Pattern 4: Conditionals (if username == "admin") - Priority 2 Fix
|
|
21
|
+
* - Pattern 5: Hardcoded fallback in os.getenv() (MEDIUM) - Priority 2 Fix
|
|
20
22
|
* - Check #8a: random module for security (MEDIUM) - Weak RNG
|
|
21
23
|
* - Check #8b: MD5/SHA1 for password hashing (HIGH) - Broken crypto
|
|
22
24
|
*
|
|
@@ -109,6 +111,52 @@ function checkCredentialsAndCrypto(lines) {
|
|
|
109
111
|
'Exposed in version control history'
|
|
110
112
|
], 'app.secret_key = "my-super-secret-flask-key"', 'import os\napp.secret_key = os.getenv("FLASK_SECRET_KEY") # Store in .env file (add to .gitignore)\n# Generate with: python -c "import secrets; print(secrets.token_hex(32))"', 'Always use environment variables for Flask secret_key. Generate a strong random key with secrets.token_hex(32)'));
|
|
111
113
|
}
|
|
114
|
+
// Pattern 4: Hardcoded credentials in conditionals (Priority 2 Fix) - if username == "admin"
|
|
115
|
+
// Detects: if username == "admin", if password == "Password123!", etc.
|
|
116
|
+
const conditionalCredMatch = trimmed.match(/(?:if|elif)\s+(?:.*\s+)?(?:username|password|passwd|pwd|auth_token|api[_-]?key|user|credential)\s*==\s*(['"])([^'"]{3,})\1/i);
|
|
117
|
+
// Also check reverse pattern: if "admin" == username
|
|
118
|
+
const reverseConditionalMatch = !conditionalCredMatch ? trimmed.match(/(?:if|elif)\s+(['"])([^'"]{3,})\1\s*==\s*(?:username|password|passwd|pwd|auth_token|api[_-]?key|user|credential)/i) : null;
|
|
119
|
+
const conditionalMatch = conditionalCredMatch || reverseConditionalMatch;
|
|
120
|
+
if (conditionalMatch &&
|
|
121
|
+
!trimmed.includes('print(') && // Skip print statements
|
|
122
|
+
!trimmed.includes('logger.') && // Skip logger statements
|
|
123
|
+
!trimmed.match(/allowed_emails|allowed_usernames|whitelist/i)) { // Skip whitelist checks
|
|
124
|
+
const credentialValue = conditionalCredMatch ? conditionalCredMatch[2] : (reverseConditionalMatch ? reverseConditionalMatch[2] : '');
|
|
125
|
+
// Additional validation: check if value looks like a real credential
|
|
126
|
+
const isRealCredential = credentialValue.length >= 3 &&
|
|
127
|
+
!credentialValue.match(/^(test|example|demo|sample|fake|your|placeholder|null|none|empty)/i);
|
|
128
|
+
if (isRealCredential) {
|
|
129
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('hardcoded-credentials', 'CRITICAL: Hardcoded credentials in authentication logic', 'Use secure credential storage and comparison (database with hashed passwords)', lineNumber, 'Hardcoded credentials in conditional statements create backdoor authentication mechanisms. These credentials cannot be rotated, are visible in source code, and persist in Git history forever. Attackers with code access gain immediate system access.', 'if username == "admin" and password == "Password123!": # Backdoor authentication', [
|
|
130
|
+
'Authentication bypass via hardcoded backdoor credentials',
|
|
131
|
+
'Unauthorized system access',
|
|
132
|
+
'Cannot rotate credentials without code deployment',
|
|
133
|
+
'Exposed in version control history',
|
|
134
|
+
'Compliance violations (PCI-DSS, SOC 2, ISO 27001)'
|
|
135
|
+
], 'def authenticate(self, username, password):\n if username == "admin" and password == "Password123!":\n return True', 'def authenticate(self, username, password):\n # Hash the provided password\n hashed = bcrypt.hashpw(password.encode(), bcrypt.gensalt())\n \n # Query database for user\n user = db.query(User).filter(User.username == username).first()\n \n # Verify password against stored hash\n if user and bcrypt.checkpw(password.encode(), user.password_hash):\n return True\n return False', 'Never hardcode credentials in conditional statements. Use secure password hashing (bcrypt/argon2) with database storage. Implement proper authentication with password verification against stored hashes.'));
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
// Pattern 5: Hardcoded fallback credentials in os.getenv() - MEDIUM (Priority 2 Fix - Jan 23, 2026)
|
|
139
|
+
// Detects: os.getenv('KEY', 'hardcoded_value') or os.environ.get('KEY', 'default')
|
|
140
|
+
const getenvFallbackMatch = trimmed.match(/os\.(getenv|environ\.get)\s*\(\s*['"]([^'"]+)['"]\s*,\s*(['"])([^'"]{8,})\3\)/);
|
|
141
|
+
if (getenvFallbackMatch &&
|
|
142
|
+
!trimmed.includes('print(') &&
|
|
143
|
+
!trimmed.includes('logger.')) {
|
|
144
|
+
const envVarName = getenvFallbackMatch[2];
|
|
145
|
+
const fallbackValue = getenvFallbackMatch[4];
|
|
146
|
+
// Check if env var name or fallback value suggests credentials
|
|
147
|
+
const isCredentialEnvVar = envVarName.match(/password|passwd|pwd|secret|key|token|credential|auth/i);
|
|
148
|
+
const looksLikeCredential = fallbackValue.length >= 8 &&
|
|
149
|
+
!fallbackValue.match(/^(test|example|demo|sample|fake|your|placeholder|default)/i);
|
|
150
|
+
if (isCredentialEnvVar && looksLikeCredential) {
|
|
151
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('hardcoded-credentials', 'Hardcoded fallback credential in os.getenv() - fails securely by default instead', 'Remove hardcoded fallback - let application fail if env var is missing', lineNumber, 'Hardcoded fallback values in os.getenv() create a false sense of security. If the environment variable is not set (deployment error, misconfiguration), the application silently falls back to weak hardcoded credentials. This is especially dangerous in production where missing env vars should cause immediate failure, not silent degradation to insecure defaults.', 'db_password = os.getenv("DB_PASSWORD", "default_password") # Silently uses weak password if env var missing', [
|
|
152
|
+
'Silent security degradation (no error if env var missing)',
|
|
153
|
+
'Production deployment with weak default credentials',
|
|
154
|
+
'False sense of security (looks like env var is used)',
|
|
155
|
+
'Difficult to detect in incident response',
|
|
156
|
+
'Compliance violations (credentials in code)'
|
|
157
|
+
], 'db_password = os.getenv("DB_PASSWORD", "default_password")\napi_key = os.getenv("API_KEY", "sk-default-key-12345")', 'db_password = os.getenv("DB_PASSWORD")\nif not db_password:\n raise ValueError("DB_PASSWORD environment variable is required")\n\napi_key = os.getenv("API_KEY")\nif not api_key:\n raise ValueError("API_KEY environment variable is required")', 'Never use hardcoded fallback values for credentials in os.getenv(). Applications should fail loudly and immediately if required environment variables are missing. This forces proper configuration and prevents silent security degradation. Use environment variable validation at startup instead.'));
|
|
158
|
+
}
|
|
159
|
+
}
|
|
112
160
|
// OWASP A02:2021 - Cryptographic Failures
|
|
113
161
|
// 8. random.random() for security - MEDIUM
|
|
114
162
|
if (trimmed.match(/random\.(random|randint|choice)\(/)) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/credentials-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;
|
|
1
|
+
{"version":3,"file":"credentials-crypto.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/credentials-crypto.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AAqBH,8DA6QC;AA/RD,sEAAiF;AAEjF;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,yBAAyB,CACvC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,4DAA4D;QAC5D,sCAAsC;QACtC,iDAAiD;QACjD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,mIAAmI,CAAC,CAAC;QAE3K,IAAI,eAAe;YACf,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC/B,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAW,wBAAwB;YAC9D,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAU,yBAAyB;YAC/D,CAAC,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAK,+CAA+C;YACvF,CAAC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC,wBAAwB;YAEjF,MAAM,eAAe,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;YAE3C,qEAAqE;YACrE,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,oDAAoD,CAAC;gBAC5E,CAAC,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,2BAA2B;YAEjE,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,8CAA8C,EAC9C,6DAA6D,EAC7D,UAAU,EACV,mIAAmI,EACnI,6EAA6E,EAC7E;oBACE,gCAAgC;oBAChC,kBAAkB;oBAClB,aAAa;oBACb,oCAAoC;oBACpC,oCAAoC;iBACrC,EACD,iCAAiC,EACjC,qFAAqF,EACrF,gIAAgI,CACjI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,6DAA6D;QAC7D,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,oIAAoI,CAAC,CAAC;QAEhL,IAAI,mBAAmB;YACnB,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;YAC/B,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC9B,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC5B,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAW,wBAAwB;YAC9D,CAAC,OAAO,CAAC,KAAK,CAAC,mBAAmB,CAAC,EAAE,CAAC,CAAE,+CAA+C;YAEzF,MAAM,eAAe,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YAE/C,qEAAqE;YACrE,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,oDAAoD,CAAC;gBAC5E,CAAC,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,2BAA2B;YAEjE,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,mDAAmD,EACnD,6DAA6D,EAC7D,UAAU,EACV,kJAAkJ,EAClJ,2EAA2E,EAC3E;oBACE,kCAAkC;oBAClC,kBAAkB;oBAClB,aAAa;oBACb,oCAAoC;oBACpC,oCAAoC;iBACrC,EACD,mDAAmD,EACnD,2FAA2F,EAC3F,gIAAgI,CACjI,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,IAAI,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,EAAE,CAAC;YAC1D,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,qDAAqD,EACrD,+CAA+C,EAC/C,UAAU,EACV,8IAA8I,EAC9I,wFAAwF,EACxF;gBACE,wBAAwB;gBACxB,uBAAuB;gBACvB,oBAAoB;gBACpB,oCAAoC;gBACpC,oCAAoC;aACrC,EACD,8CAA8C,EAC9C,gLAAgL,EAChL,gHAAgH,CACjH,CAAC,CAAC;QACL,CAAC;QAED,6FAA6F;QAC7F,uEAAuE;QACvE,MAAM,oBAAoB,GAAG,OAAO,CAAC,KAAK,CAAC,6HAA6H,CAAC,CAAC;QAE1K,qDAAqD;QACrD,MAAM,uBAAuB,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,mHAAmH,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAElM,MAAM,gBAAgB,GAAG,oBAAoB,IAAI,uBAAuB,CAAC;QAEzE,IAAI,gBAAgB;YAChB,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAW,wBAAwB;YAC9D,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAU,yBAAyB;YAC/D,CAAC,OAAO,CAAC,KAAK,CAAC,6CAA6C,CAAC,EAAE,CAAC,CAAC,wBAAwB;YAE3F,MAAM,eAAe,GAAG,oBAAoB,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAErI,qEAAqE;YACrE,MAAM,gBAAgB,GACpB,eAAe,CAAC,MAAM,IAAI,CAAC;gBAC3B,CAAC,eAAe,CAAC,KAAK,CAAC,oEAAoE,CAAC,CAAC;YAE/F,IAAI,gBAAgB,EAAE,CAAC;gBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,yDAAyD,EACzD,+EAA+E,EAC/E,UAAU,EACV,0PAA0P,EAC1P,mFAAmF,EACnF;oBACE,0DAA0D;oBAC1D,4BAA4B;oBAC5B,mDAAmD;oBACnD,oCAAoC;oBACpC,mDAAmD;iBACpD,EACD,8HAA8H,EAC9H,0ZAA0Z,EAC1Z,4MAA4M,CAC7M,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,oGAAoG;QACpG,mFAAmF;QACnF,MAAM,mBAAmB,GAAG,OAAO,CAAC,KAAK,CAAC,+EAA+E,CAAC,CAAC;QAE3H,IAAI,mBAAmB;YACnB,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAC3B,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAEjC,MAAM,UAAU,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,aAAa,GAAG,mBAAmB,CAAC,CAAC,CAAC,CAAC;YAE7C,+DAA+D;YAC/D,MAAM,kBAAkB,GAAG,UAAU,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;YACrG,MAAM,mBAAmB,GAAG,aAAa,CAAC,MAAM,IAAI,CAAC;gBACzB,CAAC,aAAa,CAAC,KAAK,CAAC,4DAA4D,CAAC,CAAC;YAE/G,IAAI,kBAAkB,IAAI,mBAAmB,EAAE,CAAC;gBAC9C,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,uBAAuB,EACvB,kFAAkF,EAClF,wEAAwE,EACxE,UAAU,EACV,2WAA2W,EAC3W,8GAA8G,EAC9G;oBACE,2DAA2D;oBAC3D,qDAAqD;oBACrD,sDAAsD;oBACtD,0CAA0C;oBAC1C,6CAA6C;iBAC9C,EACD,oHAAoH,EACpH,wPAAwP,EACxP,uSAAuS,CACxS,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,0CAA0C;QAC1C,2CAA2C;QAC3C,IAAI,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC;YACvD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,aAAa,EACb,yCAAyC,EACzC,sDAAsD,EACtD,UAAU,EACV,sIAAsI,EACtI,iFAAiF,EACjF;gBACE,gCAAgC;gBAChC,mBAAmB;gBACnB,uBAAuB;gBACvB,0BAA0B;aAC3B,EACD,uDAAuD,EACvD,yHAAyH,EACzH,yGAAyG,CAC1G,CAAC,CAAC;QACL,CAAC;QAED,oDAAoD;QACpD,2DAA2D;QAC3D,IAAI,OAAO,CAAC,KAAK,CAAC,0BAA0B,CAAC;YACzC,CAAC,OAAO,CAAC,KAAK,CAAC,mCAAmC,CAAC;gBAClD,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC;gBAC7B,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;YAC9C,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,aAAa,EACb,4DAA4D,EAC5D,oDAAoD,EACpD,UAAU,EACV,mPAAmP,EACnP,4FAA4F,EAC5F;gBACE,iDAAiD;gBACjD,kBAAkB;gBAClB,aAAa;gBACb,6BAA6B;gBAC7B,yBAAyB;aAC1B,EACD,qGAAqG,EACrG,gQAAgQ,EAChQ,+HAA+H,CAChI,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
2
|
* Python Enhanced Supply Chain Security Checks
|
|
3
3
|
* OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
|
|
4
|
+
* Phase 1.5 Week 12: Added Check #6 for known malicious packages
|
|
4
5
|
*
|
|
5
6
|
* Enhanced supply chain security checks building on existing dependency scanning.
|
|
6
7
|
* Focuses on runtime dependencies, package integrity, and malicious code patterns.
|
|
@@ -15,6 +16,8 @@ import { SecurityVulnerability } from '../../types';
|
|
|
15
16
|
* - Check #3: Suspicious package patterns (HIGH)
|
|
16
17
|
* - Check #4: Untrusted package sources (MEDIUM)
|
|
17
18
|
* - Check #5: Package typosquatting patterns (MEDIUM)
|
|
19
|
+
* - Check #6: Known malicious packages in source code (CRITICAL)
|
|
20
|
+
* - Check #7: Known malicious packages in requirements.txt (CRITICAL) 🆕
|
|
18
21
|
*
|
|
19
22
|
* @param lines - Array of code lines
|
|
20
23
|
* @returns Array of security vulnerabilities found
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"enhanced-supply-chain.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAoCpD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,MAAM,EAAE,GACd,qBAAqB,EAAE,CAsQzB"}
|
|
@@ -2,6 +2,7 @@
|
|
|
2
2
|
/**
|
|
3
3
|
* Python Enhanced Supply Chain Security Checks
|
|
4
4
|
* OWASP A03:2025 - Software Supply Chain Failures (Enhanced)
|
|
5
|
+
* Phase 1.5 Week 12: Added Check #6 for known malicious packages
|
|
5
6
|
*
|
|
6
7
|
* Enhanced supply chain security checks building on existing dependency scanning.
|
|
7
8
|
* Focuses on runtime dependencies, package integrity, and malicious code patterns.
|
|
@@ -9,6 +10,38 @@
|
|
|
9
10
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
11
|
exports.checkEnhancedSupplyChain = checkEnhancedSupplyChain;
|
|
11
12
|
const createVulnerability_1 = require("../utils/createVulnerability");
|
|
13
|
+
/**
|
|
14
|
+
* Curated list of known malicious PyPI packages
|
|
15
|
+
* Source: OSSF Malicious Packages Database + historical incidents
|
|
16
|
+
* Updated: January 2026
|
|
17
|
+
*/
|
|
18
|
+
const KNOWN_MALICIOUS_PACKAGES = [
|
|
19
|
+
// Historical high-profile incidents
|
|
20
|
+
'python3-dateutil',
|
|
21
|
+
'jeIlyfish',
|
|
22
|
+
'python3-dateuti1',
|
|
23
|
+
'colourama',
|
|
24
|
+
'libpeshka',
|
|
25
|
+
'pycrypto',
|
|
26
|
+
'python-mysql',
|
|
27
|
+
'python-sqlite',
|
|
28
|
+
'pytagora',
|
|
29
|
+
// Typosquatting common packages
|
|
30
|
+
'request',
|
|
31
|
+
'requestes',
|
|
32
|
+
'req',
|
|
33
|
+
'django-tools',
|
|
34
|
+
'django-toolbelt',
|
|
35
|
+
'numpy-python',
|
|
36
|
+
'pandas-python',
|
|
37
|
+
'flask-security',
|
|
38
|
+
'beautifulsoup',
|
|
39
|
+
// Recent malware campaigns (2024-2026)
|
|
40
|
+
'discord-py',
|
|
41
|
+
'python-discord',
|
|
42
|
+
'telethon-proxy',
|
|
43
|
+
'pyside-qt5'
|
|
44
|
+
];
|
|
12
45
|
/**
|
|
13
46
|
* Checks for enhanced supply chain security vulnerabilities in Python code
|
|
14
47
|
*
|
|
@@ -18,6 +51,8 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
18
51
|
* - Check #3: Suspicious package patterns (HIGH)
|
|
19
52
|
* - Check #4: Untrusted package sources (MEDIUM)
|
|
20
53
|
* - Check #5: Package typosquatting patterns (MEDIUM)
|
|
54
|
+
* - Check #6: Known malicious packages in source code (CRITICAL)
|
|
55
|
+
* - Check #7: Known malicious packages in requirements.txt (CRITICAL) 🆕
|
|
21
56
|
*
|
|
22
57
|
* @param lines - Array of code lines
|
|
23
58
|
* @returns Array of security vulnerabilities found
|
|
@@ -121,6 +156,55 @@ function checkEnhancedSupplyChain(lines) {
|
|
|
121
156
|
'Credential theft and data exfiltration'
|
|
122
157
|
], 'pip install djangoo', 'pip install django # use official package name from PyPI', 'Package names should be verified against official PyPI listings to avoid typosquatting attacks'));
|
|
123
158
|
}
|
|
159
|
+
// Check #6: Known malicious packages (OSSF database)
|
|
160
|
+
// Phase 1.5 Week 12: Detect import of packages confirmed as malicious
|
|
161
|
+
if (lowerLine.includes('import ') || lowerLine.includes('from ')) {
|
|
162
|
+
// Extract package name from import statement (before any inline comment)
|
|
163
|
+
const codeBeforeComment = trimmedLine.split('#')[0];
|
|
164
|
+
// Patterns: "import package", "from package import", "import package as"
|
|
165
|
+
const importMatch = codeBeforeComment.match(/^\s*import\s+([a-zA-Z0-9_-]+)/);
|
|
166
|
+
const fromImportMatch = codeBeforeComment.match(/^\s*from\s+([a-zA-Z0-9_-]+)/);
|
|
167
|
+
const packageName = (importMatch || fromImportMatch)?.[1];
|
|
168
|
+
if (packageName) {
|
|
169
|
+
if (KNOWN_MALICIOUS_PACKAGES.includes(packageName)) {
|
|
170
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('known-malicious-package', `CRITICAL: Known malicious package detected - "${packageName}"`, 'Remove this package immediately and check for compromise', index + 1, `Package "${packageName}" is confirmed malicious by OSSF database. This package has been involved in supply chain attacks.`, `import ${packageName} # confirmed malware`, [
|
|
171
|
+
'Malicious code execution from confirmed malware',
|
|
172
|
+
'Data theft and credential harvesting',
|
|
173
|
+
'Backdoor installation and remote access',
|
|
174
|
+
'Supply chain compromise and lateral movement',
|
|
175
|
+
'System compromise and persistence mechanisms'
|
|
176
|
+
], `import ${packageName}`, `# Remove "${packageName}" - this package is malicious\n# Check requirements.txt and remove from dependencies\n# Review code for any malicious activity`, `This package is listed in the OSSF Malicious Packages Database. Immediate removal required.`));
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
}
|
|
180
|
+
// Check #7: Known malicious packages in requirements.txt
|
|
181
|
+
// Detect dependency declarations in requirements.txt files
|
|
182
|
+
// Pattern: package-name==version or package-name>=version or package-name (no specifier)
|
|
183
|
+
// Extract before inline comment (#) to handle: "package==1.0.0 # comment"
|
|
184
|
+
const codeBeforeComment = trimmedLine.split('#')[0].trim();
|
|
185
|
+
if (codeBeforeComment) {
|
|
186
|
+
// Requirements.txt patterns:
|
|
187
|
+
// - package-name==1.0.0
|
|
188
|
+
// - package-name>=1.0.0
|
|
189
|
+
// - package-name~=1.0.0
|
|
190
|
+
// - package-name[extras]==1.0.0
|
|
191
|
+
// - package-name
|
|
192
|
+
const requirementsMatch = codeBeforeComment.match(/^([a-zA-Z0-9_-]+)\s*(\[.*?\])?\s*(==|>=|~=|<=|<|>)?/i);
|
|
193
|
+
if (requirementsMatch) {
|
|
194
|
+
const packageName = requirementsMatch[1];
|
|
195
|
+
// Only process if it looks like a package name (not Python code like "import", "def", "class")
|
|
196
|
+
const isPythonKeyword = ['import', 'from', 'def', 'class', 'if', 'for', 'while', 'return', 'print'].includes(packageName.toLowerCase());
|
|
197
|
+
if (!isPythonKeyword && KNOWN_MALICIOUS_PACKAGES.includes(packageName)) {
|
|
198
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('known-malicious-package', `CRITICAL: Known malicious package detected - "${packageName}"`, 'Remove this package immediately from requirements.txt and run pip uninstall', index + 1, `Package "${packageName}" is confirmed malicious by OSSF database. This package has been involved in supply chain attacks.`, `${packageName}==1.0.0 # confirmed malware in requirements.txt`, [
|
|
199
|
+
'Malicious code execution from confirmed malware',
|
|
200
|
+
'Data theft and credential harvesting',
|
|
201
|
+
'Backdoor installation and remote access',
|
|
202
|
+
'Supply chain compromise and lateral movement',
|
|
203
|
+
'System compromise and persistence mechanisms'
|
|
204
|
+
], `${packageName}==1.0.0`, `# Remove "${packageName}" - this package is malicious\n# Delete from requirements.txt\n# Run: pip uninstall ${packageName}\n# Review code for any malicious activity`, `This package is listed in the OSSF Malicious Packages Database. Immediate removal required.`));
|
|
205
|
+
}
|
|
206
|
+
}
|
|
207
|
+
}
|
|
124
208
|
});
|
|
125
209
|
return vulnerabilities;
|
|
126
210
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA
|
|
1
|
+
{"version":3,"file":"enhanced-supply-chain.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/enhanced-supply-chain.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AAqDH,4DAwQC;AA1TD,sEAAiF;AAEjF;;;;GAIG;AACH,MAAM,wBAAwB,GAAG;IAC/B,oCAAoC;IACpC,kBAAkB;IAClB,WAAW;IACX,kBAAkB;IAClB,WAAW;IACX,WAAW;IACX,UAAU;IACV,cAAc;IACd,eAAe;IACf,UAAU;IACV,gCAAgC;IAChC,SAAS;IACT,WAAW;IACX,KAAK;IACL,cAAc;IACd,iBAAiB;IACjB,cAAc;IACd,eAAe;IACf,gBAAgB;IAChB,eAAe;IACf,uCAAuC;IACvC,YAAY;IACZ,gBAAgB;IAChB,gBAAgB;IAChB,YAAY;CACb,CAAC;AAEF;;;;;;;;;;;;;;GAcG;AACH,SAAgB,wBAAwB,CACtC,KAAe;IAEf,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAEhC,kFAAkF;QAClF,MAAM,cAAc,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAElF,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,8BAA8B;gBAC9B,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,8DAA8D;gBAC9D,MAAM,gBAAgB,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC7G,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,4CAA4C;oBAC5C,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO,CAAC,iBAAiB;YAC3B,CAAC;iBAAM,CAAC;gBACN,4BAA4B;gBAC5B,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO,CAAC,iBAAiB;YAC3B,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,WAAW;YACZ,kBAAkB;YAClB,WAAW,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;QACT,CAAC;QAED,MAAM,SAAS,GAAG,WAAW,CAAC,WAAW,EAAE,CAAC;QAE5C,+CAA+C;QAC/C,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,0BAA0B,CAAC,CAAC;YACrF,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC9D,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,EAAE,CAAC;YACzE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,8BAA8B,EAC9B,mDAAmD,EACnD,oEAAoE,EACpE,KAAK,GAAG,CAAC,EACT,4FAA4F,EAC5F,mDAAmD,EACnD;gBACE,4CAA4C;gBAC5C,iDAAiD;gBACjD,iCAAiC;gBACjC,8CAA8C;aAC/C,EACD,wBAAwB,EACxB,+FAA+F,EAC/F,sGAAsG,CACvG,CACF,CAAC;QACJ,CAAC;QAED,yCAAyC;QACzC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;YACvE,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC;gBACvE,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,EAAE,CAAC;YAChF,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,8BAA8B,EAC9B,uCAAuC,EACvC,wEAAwE,EACxE,KAAK,GAAG,CAAC,EACT,4FAA4F,EAC5F,yEAAyE,EACzE;gBACE,+CAA+C;gBAC/C,mDAAmD;gBACnD,mDAAmD;gBACnD,+CAA+C;aAChD,EACD,kDAAkD,EAClD,0DAA0D,EAC1D,8FAA8F,CAC/F,CACF,CAAC;QACJ,CAAC;QAED,qEAAqE;QACrE,8FAA8F;QAC9F,MAAM,kBAAkB,GAAG,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC5E,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;YACzD,gGAAgG;YAChG,MAAM,aAAa,GAAG,IAAI,MAAM,CAAC,uBAAuB,GAAG,KAAK,EAAE,GAAG,CAAC,CAAC;YACvE,OAAO,aAAa,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAC9D,CAAC,oBAAoB;YACrB,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC;gBACrE,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC3D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACnE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,4BAA4B,EAC5B,gDAAgD,EAChD,+DAA+D,EAC/D,KAAK,GAAG,CAAC,EACT,mFAAmF,EACnF,wCAAwC,EACxC;gBACE,6CAA6C;gBAC7C,sCAAsC;gBACtC,yCAAyC;gBACzC,mDAAmD;aACpD,EACD,iBAAiB,EACjB,+CAA+C,EAC/C,0EAA0E,CAC3E,CACF,CAAC;QACJ,CAAC;QAED,sCAAsC;QACtC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;YACzE,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC9D,SAAS,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;YACpF,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,0BAA0B,EAC1B,4DAA4D,EAC5D,mEAAmE,EACnE,KAAK,GAAG,CAAC,EACT,yEAAyE,EACzE,oEAAoE,EACpE;gBACE,kDAAkD;gBAClD,gDAAgD;gBAChD,gDAAgD;gBAChD,iDAAiD;aAClD,EACD,gEAAgE,EAChE,wEAAwE,EACxE,wEAAwE,CACzE,CACF,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;YACzE,CAAC,SAAS,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC;gBACvE,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;gBAC1D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC7D,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAC/D,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;YACpC,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,+BAA+B,EAC/B,mDAAmD,EACnD,2DAA2D,EAC3D,KAAK,GAAG,CAAC,EACT,sEAAsE,EACtE,0CAA0C,EAC1C;gBACE,+DAA+D;gBAC/D,gDAAgD;gBAChD,uDAAuD;gBACvD,wCAAwC;aACzC,EACD,qBAAqB,EACrB,0DAA0D,EAC1D,gGAAgG,CACjG,CACF,CAAC;QACJ,CAAC;QAED,qDAAqD;QACrD,sEAAsE;QACtE,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAEjE,yEAAyE;YACzE,MAAM,iBAAiB,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACpD,yEAAyE;YACzE,MAAM,WAAW,GAAG,iBAAiB,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YAC7E,MAAM,eAAe,GAAG,iBAAiB,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YAE/E,MAAM,WAAW,GAAG,CAAC,WAAW,IAAI,eAAe,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAE1D,IAAI,WAAW,EAAE,CAAC;gBAChB,IAAI,wBAAwB,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;oBACnD,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,yBAAyB,EACzB,iDAAiD,WAAW,GAAG,EAC/D,0DAA0D,EAC1D,KAAK,GAAG,CAAC,EACT,YAAY,WAAW,oGAAoG,EAC3H,UAAU,WAAW,uBAAuB,EAC5C;wBACE,iDAAiD;wBACjD,sCAAsC;wBACtC,yCAAyC;wBACzC,8CAA8C;wBAC9C,8CAA8C;qBAC/C,EACD,UAAU,WAAW,EAAE,EACvB,aAAa,WAAW,gIAAgI,EACxJ,6FAA6F,CAC9F,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,yDAAyD;QACzD,2DAA2D;QAC3D,yFAAyF;QACzF,2EAA2E;QAC3E,MAAM,iBAAiB,GAAG,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE3D,IAAI,iBAAiB,EAAE,CAAC;YACtB,6BAA6B;YAC7B,wBAAwB;YACxB,wBAAwB;YACxB,wBAAwB;YACxB,gCAAgC;YAChC,iBAAiB;YACjB,MAAM,iBAAiB,GAAG,iBAAiB,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAC;YAE1G,IAAI,iBAAiB,EAAE,CAAC;gBACtB,MAAM,WAAW,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;gBAEzC,+FAA+F;gBAC/F,MAAM,eAAe,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC;gBAExI,IAAI,CAAC,eAAe,IAAI,wBAAwB,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;oBACvE,eAAe,CAAC,IAAI,CAClB,IAAA,uDAAiC,EAC/B,yBAAyB,EACzB,iDAAiD,WAAW,GAAG,EAC/D,6EAA6E,EAC7E,KAAK,GAAG,CAAC,EACT,YAAY,WAAW,oGAAoG,EAC3H,GAAG,WAAW,kDAAkD,EAChE;wBACE,iDAAiD;wBACjD,sCAAsC;wBACtC,yCAAyC;wBACzC,8CAA8C;wBAC9C,8CAA8C;qBAC/C,EACD,GAAG,WAAW,SAAS,EACvB,aAAa,WAAW,uFAAuF,WAAW,4CAA4C,EACtK,6FAA6F,CAC9F,CACF,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;IAEH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -16,10 +16,12 @@ import { SecurityVulnerability } from '../../types';
|
|
|
16
16
|
* - Check #4: SQL Injection - Inline interpolation (CRITICAL)
|
|
17
17
|
* - Check #4b: SQL Injection - Data flow tracking (CRITICAL)
|
|
18
18
|
* - Check #5: Command Injection - Inline (CRITICAL)
|
|
19
|
-
* - Check #5b: Command Injection - Data flow tracking (CRITICAL)
|
|
20
|
-
* - Check #5c:
|
|
19
|
+
* - Check #5b: Command Injection - Data flow tracking (CRITICAL)
|
|
20
|
+
* - Check #5c: os.system/os.popen with variable - CRITICAL (Priority 1 Fix - Jan 23, 2026)
|
|
21
|
+
* - Check #5d: subprocess.Popen without shell=False (HIGH)
|
|
21
22
|
* - Check #6: shell=True in subprocess (HIGH)
|
|
22
23
|
* - Check #6b: subprocess.Popen with shell=True (HIGH)
|
|
24
|
+
* - Check #7: Path Traversal - String concatenation in file paths (HIGH) - Priority 1 Fix
|
|
23
25
|
*
|
|
24
26
|
* @param lines - Array of code lines
|
|
25
27
|
* @param unsafeSqlVariables - Map of variable names with unsafe SQL string formatting
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"injection-attacks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/injection-attacks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD
|
|
1
|
+
{"version":3,"file":"injection-attacks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/injection-attacks.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGpD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,MAAM,EAAE,EACf,kBAAkB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,EACvC,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC1C,qBAAqB,EAAE,CAqWzB"}
|
|
@@ -19,10 +19,12 @@ const createVulnerability_1 = require("../utils/createVulnerability");
|
|
|
19
19
|
* - Check #4: SQL Injection - Inline interpolation (CRITICAL)
|
|
20
20
|
* - Check #4b: SQL Injection - Data flow tracking (CRITICAL)
|
|
21
21
|
* - Check #5: Command Injection - Inline (CRITICAL)
|
|
22
|
-
* - Check #5b: Command Injection - Data flow tracking (CRITICAL)
|
|
23
|
-
* - Check #5c:
|
|
22
|
+
* - Check #5b: Command Injection - Data flow tracking (CRITICAL)
|
|
23
|
+
* - Check #5c: os.system/os.popen with variable - CRITICAL (Priority 1 Fix - Jan 23, 2026)
|
|
24
|
+
* - Check #5d: subprocess.Popen without shell=False (HIGH)
|
|
24
25
|
* - Check #6: shell=True in subprocess (HIGH)
|
|
25
26
|
* - Check #6b: subprocess.Popen with shell=True (HIGH)
|
|
27
|
+
* - Check #7: Path Traversal - String concatenation in file paths (HIGH) - Priority 1 Fix
|
|
26
28
|
*
|
|
27
29
|
* @param lines - Array of code lines
|
|
28
30
|
* @param unsafeSqlVariables - Map of variable names with unsafe SQL string formatting
|
|
@@ -141,7 +143,23 @@ function checkInjectionAttacks(lines, unsafeSqlVariables, unsafeCommandVariables
|
|
|
141
143
|
], `# Line ${unsafeVarLine}:\ncommand = "echo " + user_input\n# Line ${lineNumber}:\nos.system(command)`, 'import subprocess\nsubprocess.run(["echo", user_input], shell=False) # Safe: arguments as list', 'Never concatenate user input into command strings. Use subprocess with shell=False and pass command and arguments as separate list items to prevent shell interpretation of special characters like ;, |, &, $, etc.'));
|
|
142
144
|
}
|
|
143
145
|
}
|
|
144
|
-
// 5c.
|
|
146
|
+
// 5c. os.system/os.popen with variable argument - CRITICAL (Priority 1 Fix)
|
|
147
|
+
// Detects: os.system(cmd) where cmd is any variable (high risk since os.system always uses shell)
|
|
148
|
+
if (trimmed.match(/\bos\.(system|popen)\s*\(\s*[a-zA-Z_][a-zA-Z0-9_]*\s*\)/)) {
|
|
149
|
+
// Check if it's not already flagged by inline check
|
|
150
|
+
const alreadyFlagged = vulnerabilities.some(v => v.line === lineNumber && v.category === 'command-injection');
|
|
151
|
+
if (!alreadyFlagged) {
|
|
152
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('command-injection', 'CRITICAL: os.system() or os.popen() with variable - shell injection risk', 'Use subprocess.run() with shell=False and arguments as list', lineNumber, 'os.system() and os.popen() ALWAYS execute commands through a shell, making them vulnerable to command injection if the variable contains any user input. Even indirect user input (function parameters, class attributes) can be exploited.', 'def execute_command(cmd): os.system(cmd) # If user calls execute_command("ls; rm -rf /"), entire filesystem deleted', [
|
|
153
|
+
'Remote Code Execution (RCE)',
|
|
154
|
+
'Complete system takeover',
|
|
155
|
+
'Data deletion via shell metacharacters (; | & $)',
|
|
156
|
+
'Privilege escalation',
|
|
157
|
+
'Backdoor installation',
|
|
158
|
+
'Critical: Works even if variable seems "safe"'
|
|
159
|
+
], 'def execute_command(cmd):\n os.system(cmd) # DANGEROUS: Shell injection if cmd contains "ls; rm -rf /"', 'import subprocess\ndef execute_command(cmd):\n # Parse cmd into command and args, or pass as list\n subprocess.run([cmd], shell=False) # Safe: No shell interpretation\n # Better: subprocess.run(["program", "arg1", "arg2"], shell=False)', 'NEVER use os.system() or os.popen() with variables. They ALWAYS invoke a shell, allowing injection via characters like ;, |, &, $, `. Use subprocess.run() with shell=False and pass the command as a list. Validate/sanitize input strictly if subprocess with shell=False is not feasible.'));
|
|
160
|
+
}
|
|
161
|
+
}
|
|
162
|
+
// 5d. subprocess.Popen without explicit shell=False - HIGH (Priority 1 Improvement)
|
|
145
163
|
// Detects subprocess.Popen calls that don't explicitly set shell=False
|
|
146
164
|
if (trimmed.includes('subprocess.Popen(') &&
|
|
147
165
|
!trimmed.includes('shell=False') &&
|
|
@@ -186,6 +204,28 @@ function checkInjectionAttacks(lines, unsafeSqlVariables, unsafeCommandVariables
|
|
|
186
204
|
}
|
|
187
205
|
}
|
|
188
206
|
}
|
|
207
|
+
// 7. Path Traversal - String concatenation with file paths - HIGH (Priority 1 Fix - Jan 23, 2026)
|
|
208
|
+
// Detects: '/path/' + user_input, base_path + user_var, etc.
|
|
209
|
+
// Pattern: open(), with open(), or file path operations with unsanitized concatenation
|
|
210
|
+
const pathConcatMatch = trimmed.match(/(['"])([^'"]*\/[^'"]*)\1\s*\+\s*([a-zA-Z_][a-zA-Z0-9_]*)/);
|
|
211
|
+
const reverseConcatMatch = !pathConcatMatch ? trimmed.match(/([a-zA-Z_][a-zA-Z0-9_]*)\s*\+\s*(['"])([^'"]*\/[^'"]*)\2/) : null;
|
|
212
|
+
const openWithConcat = trimmed.match(/open\s*\([^)]*\+[^)]*\)/) || trimmed.match(/with\s+open\s*\([^)]*\+[^)]*\)/);
|
|
213
|
+
if ((pathConcatMatch || reverseConcatMatch || openWithConcat) &&
|
|
214
|
+
(trimmed.includes('open(') || trimmed.includes('with open')) &&
|
|
215
|
+
!trimmed.includes('os.path.join') && // os.path.join still needs validation but is safer
|
|
216
|
+
!trimmed.includes('.strip()') && // Skip simple string operations
|
|
217
|
+
!trimmed.includes('.replace(')) { // Skip string sanitization
|
|
218
|
+
const alreadyFlagged = vulnerabilities.some(v => v.line === lineNumber && v.category === 'path-traversal');
|
|
219
|
+
if (!alreadyFlagged) {
|
|
220
|
+
vulnerabilities.push((0, createVulnerability_1.createPythonSecurityVulnerability)('path-traversal', 'Path traversal vulnerability - unsanitized user input in file path', 'Validate and sanitize file paths - use os.path.basename() and whitelist allowed paths', lineNumber, 'String concatenation with user input in file paths allows attackers to access arbitrary files using path traversal sequences like ../ or absolute paths. This can expose sensitive files like /etc/passwd, configuration files, or source code.', 'full_path = "/uploads/" + user_path where user_path = "../../etc/passwd"', [
|
|
221
|
+
'Arbitrary file read via path traversal (../../etc/passwd)',
|
|
222
|
+
'Access to sensitive configuration files',
|
|
223
|
+
'Source code disclosure',
|
|
224
|
+
'Credential theft from config files',
|
|
225
|
+
'Information disclosure for further attacks'
|
|
226
|
+
], 'def read_file(user_path):\n full_path = "/var/uploads/" + user_path # Vulnerable!\n with open(full_path, "r") as f:\n return f.read()', 'import os\ndef read_file(user_path):\n # Sanitize: Extract only filename (removes path traversal)\n safe_filename = os.path.basename(user_path)\n \n # Validate: Check against whitelist\n allowed_files = ["data.txt", "config.json", "report.pdf"]\n if safe_filename not in allowed_files:\n raise ValueError("File not allowed")\n \n # Safe path construction\n full_path = os.path.join("/var/uploads", safe_filename)\n with open(full_path, "r") as f:\n return f.read()', 'Never concatenate user input directly into file paths. Use os.path.basename() to strip directory components, validate against a whitelist of allowed files, and construct paths with os.path.join(). For additional security, use chroot jails or run file operations in sandboxed environments.'));
|
|
227
|
+
}
|
|
228
|
+
}
|
|
189
229
|
});
|
|
190
230
|
return vulnerabilities;
|
|
191
231
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;
|
|
1
|
+
{"version":3,"file":"injection-attacks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/python/security-checks/injection-attacks.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;AA2BH,sDAyWC;AAjYD,sEAAiF;AAEjF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,SAAgB,qBAAqB,CACnC,KAAe,EACf,kBAAuC,EACvC,sBAA2C;IAE3C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,IAAI,kBAAkB,GAAG,KAAK,CAAC;IAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;QAC5B,MAAM,UAAU,GAAG,KAAK,GAAG,CAAC,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,kFAAkF;QAClF,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE1E,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC,kBAAkB,EAAE,CAAC;gBACxB,kBAAkB,GAAG,IAAI,CAAC;gBAC1B,MAAM,gBAAgB,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBACrG,IAAI,gBAAgB,IAAI,CAAC,EAAE,CAAC;oBAC1B,kBAAkB,GAAG,KAAK,CAAC;gBAC7B,CAAC;gBACD,OAAO;YACT,CAAC;iBAAM,CAAC;gBACN,kBAAkB,GAAG,KAAK,CAAC;gBAC3B,OAAO;YACT,CAAC;QACH,CAAC;QAED,+EAA+E;QAC/E,IAAI,CAAC,OAAO,IAAI,kBAAkB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9D,OAAO;QACT,CAAC;QAED,6BAA6B;QAC7B,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,wCAAwC,EACxC,+DAA+D,EAC/D,UAAU,EACV,8HAA8H,EAC9H,+EAA+E,EAC/E;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,6BAA6B;gBAC7B,oBAAoB;aACrB,EACD,2BAA2B,EAC3B,iIAAiI,EACjI,4GAA4G,CAC7G,CAAC,CAAC;QACL,CAAC;QAED,uBAAuB;QACvB,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,wCAAwC,EACxC,mDAAmD,EACnD,UAAU,EACV,kIAAkI,EAClI,iGAAiG,EACjG;gBACE,6BAA6B;gBAC7B,oBAAoB;gBACpB,mBAAmB;gBACnB,sBAAsB;aACvB,EACD,oBAAoB,EACpB,8GAA8G,EAC9G,sHAAsH,CACvH,CAAC,CAAC;QACL,CAAC;QAED,sBAAsB;QACtB,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACjC,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,YAAY,EACZ,sCAAsC,EACtC,qEAAqE,EACrE,UAAU,EACV,+GAA+G,EAC/G,4DAA4D,EAC5D;gBACE,gBAAgB;gBAChB,uBAAuB;gBACvB,6BAA6B;aAC9B,EACD,gDAAgD,EAChD,4GAA4G,EAC5G,+GAA+G,CAChH,CAAC,CAAC;QACL,CAAC;QAED,8BAA8B;QAC9B,sDAAsD;QACtD,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC;YAC/C,OAAO,CAAC,KAAK,CAAC,iCAAiC,CAAC;YAChD,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YAC1C,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,eAAe,EACf,kDAAkD,EAClD,6CAA6C,EAC7C,UAAU,EACV,iKAAiK,EACjK,wFAAwF,EACxF;gBACE,0CAA0C;gBAC1C,uBAAuB;gBACvB,mBAAmB;gBACnB,kBAAkB;gBAClB,sBAAsB;aACvB,EACD,6DAA6D,EAC7D,uIAAuI,EACvI,8HAA8H,CAC/H,CAAC,CAAC;QACL,CAAC;QAED,qEAAqE;QACrE,uDAAuD;QACvD,IAAI,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,EAAE,CAAC;YACjD,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACrE,IAAI,eAAe,EAAE,CAAC;gBACpB,MAAM,OAAO,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;oBACpC,MAAM,aAAa,GAAG,kBAAkB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;oBACvD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,eAAe,EACf,sCAAsC,OAAO,0BAA0B,aAAa,GAAG,EACvF,6CAA6C,EAC7C,UAAU,EACV,aAAa,OAAO,wDAAwD,aAAa,0FAA0F,EACnL,+DAA+D,aAAa,mCAAmC,UAAU,gBAAgB,EACzI;wBACE,0CAA0C;wBAC1C,uBAAuB;wBACvB,mBAAmB;wBACnB,kBAAkB;wBAClB,sBAAsB;qBACvB,EACD,UAAU,aAAa,kEAAkE,UAAU,0BAA0B,EAC7H,uIAAuI,EACvI,8HAA8H,CAC/H,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACtE,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC;YAC9E,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAChF,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,0CAA0C,EAC1C,0DAA0D,EAC1D,UAAU,EACV,wIAAwI,EACxI,6DAA6D,EAC7D;gBACE,6BAA6B;gBAC7B,4BAA4B;gBAC5B,eAAe;gBACf,sBAAsB;gBACtB,uBAAuB;aACxB,EACD,6BAA6B,EAC7B,oGAAoG,EACpG,4HAA4H,CAC7H,CAAC,CAAC;QACL,CAAC;QAED,8EAA8E;QAC9E,8DAA8D;QAC9D,MAAM,qBAAqB,GAAG,OAAO,CAAC,KAAK,CAAC,gFAAgF,CAAC,CAAC;QAC9H,IAAI,qBAAqB,EAAE,CAAC;YAC1B,MAAM,OAAO,GAAG,qBAAqB,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACxC,MAAM,aAAa,GAAG,sBAAsB,CAAC,GAAG,CAAC,OAAO,CAAE,CAAC;gBAC3D,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,0CAA0C,OAAO,0BAA0B,aAAa,GAAG,EAC3F,0DAA0D,EAC1D,UAAU,EACV,aAAa,OAAO,4DAA4D,aAAa,yGAAyG,EACtM,0CAA0C,aAAa,gCAAgC,UAAU,gBAAgB,EACjH;oBACE,6BAA6B;oBAC7B,4BAA4B;oBAC5B,0DAA0D;oBAC1D,sBAAsB;oBACtB,uBAAuB;iBACxB,EACD,UAAU,aAAa,6CAA6C,UAAU,uBAAuB,EACrG,iGAAiG,EACjG,sNAAsN,CACvN,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,kGAAkG;QAClG,IAAI,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,EAAE,CAAC;YAC7E,oDAAoD;YACpD,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC9C,CAAC,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,mBAAmB,CAC5D,CAAC;YAEF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,0EAA0E,EAC1E,6DAA6D,EAC7D,UAAU,EACV,6OAA6O,EAC7O,sHAAsH,EACtH;oBACE,6BAA6B;oBAC7B,0BAA0B;oBAC1B,kDAAkD;oBAClD,sBAAsB;oBACtB,uBAAuB;oBACvB,+CAA+C;iBAChD,EACD,4GAA4G,EAC5G,uPAAuP,EACvP,8RAA8R,CAC/R,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,oFAAoF;QACpF,uEAAuE;QACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YACrC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC;YAChC,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YACvC,2DAA2D;YAC3D,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,2CAA2C,CAAC;gBAC3D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAC5B,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAE/C,IAAI,YAAY,EAAE,CAAC;gBACjB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,6DAA6D,EAC7D,uDAAuD,EACvD,UAAU,EACV,wNAAwN,EACxN,4DAA4D,EAC5D;oBACE,6BAA6B;oBAC7B,0BAA0B;oBAC1B,wDAAwD;oBACxD,0BAA0B;iBAC3B,EACD,2BAA2B,EAC3B,4EAA4E,EAC5E,yIAAyI,CAC1I,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,KAAK,CAAC,qCAAqC,CAAC,EAAE,CAAC;YACzD,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,sDAAsD,EACtD,oDAAoD,EACpD,UAAU,EACV,oIAAoI,EACpI,4DAA4D,EAC5D;gBACE,mBAAmB;gBACnB,yBAAyB;gBACzB,mBAAmB;gBACnB,WAAW;aACZ,EACD,qCAAqC,EACrC,2FAA2F,EAC3F,wGAAwG,CACzG,CAAC,CAAC;QACL,CAAC;QAED,gGAAgG;QAChG,6EAA6E;QAC7E,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACnG,0CAA0C;YAC1C,IAAI,OAAO,CAAC,KAAK,CAAC,0CAA0C,CAAC;gBACzD,OAAO,CAAC,KAAK,CAAC,wCAAwC,CAAC,EAAE,CAAC;gBAC5D,6CAA6C;gBAC7C,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC/C,CAAC,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,CAC1D,CAAC;gBAEF,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,mBAAmB,EACnB,4DAA4D,EAC5D,oDAAoD,EACpD,UAAU,EACV,4JAA4J,EAC5J,8DAA8D,EAC9D;wBACE,mBAAmB;wBACnB,yBAAyB;wBACzB,mBAAmB;wBACnB,WAAW;qBACZ,EACD,+DAA+D,EAC/D,4FAA4F,EAC5F,mHAAmH,CACpH,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,kGAAkG;QAClG,6DAA6D;QAC7D,uFAAuF;QACvF,MAAM,eAAe,GAAG,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAClG,MAAM,kBAAkB,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,0DAA0D,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QAC/H,MAAM,cAAc,GAAG,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,IAAI,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QAEnH,IAAI,CAAC,eAAe,IAAI,kBAAkB,IAAI,cAAc,CAAC;YACzD,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC5D,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAK,mDAAmD;YACzF,CAAC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAU,gCAAgC;YACvE,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC,CAAM,2BAA2B;YAEpE,MAAM,cAAc,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC9C,CAAC,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,gBAAgB,CACzD,CAAC;YAEF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,eAAe,CAAC,IAAI,CAAC,IAAA,uDAAiC,EACpD,gBAAgB,EAChB,oEAAoE,EACpE,uFAAuF,EACvF,UAAU,EACV,iPAAiP,EACjP,0EAA0E,EAC1E;oBACE,2DAA2D;oBAC3D,yCAAyC;oBACzC,wBAAwB;oBACxB,oCAAoC;oBACpC,4CAA4C;iBAC7C,EACD,qJAAqJ,EACrJ,8fAA8f,EAC9f,kSAAkS,CACnS,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,eAAe,CAAC;AACzB,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"python-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/python-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AA2B7C,qBAAa,cAAe,YAAW,aAAa;IAClD,SAAgB,QAAQ,EAAE,iBAAiB,CAAY;IAEjD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IA4BtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsBpD,eAAe;;;;;IAQf,OAAO,CAAC,aAAa;IA4arB,OAAO,CAAC,mBAAmB;IA4H3B,OAAO,CAAC,cAAc;IAiEtB,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,2BAA2B;IAuCnC,OAAO,CAAC,eAAe;IAkOvB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,0BAA0B;IAqIlC,OAAO,CAAC,gBAAgB;IAoBxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmE3B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAsElC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAwF9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;IACH,OAAO,CAAC,gBAAgB;
|
|
1
|
+
{"version":3,"file":"python-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../src/lib/analyzers/python-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAkD,MAAM,SAAS,CAAC;AACvH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AA2B7C,qBAAa,cAAe,YAAW,aAAa;IAClD,SAAgB,QAAQ,EAAE,iBAAiB,CAAY;IAEjD,OAAO,CAAC,KAAK,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IA4BtD,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAsBpD,eAAe;;;;;IAQf,OAAO,CAAC,aAAa;IA4arB,OAAO,CAAC,mBAAmB;IA4H3B,OAAO,CAAC,cAAc;IAiEtB,OAAO,CAAC,kBAAkB;IA+B1B,OAAO,CAAC,2BAA2B;IAuCnC,OAAO,CAAC,eAAe;IAkOvB;;;;;;;;;;OAUG;IACH,OAAO,CAAC,0BAA0B;IAqIlC,OAAO,CAAC,gBAAgB;IAoBxB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAmE3B;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAsElC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IAwF9B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA0B/B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA+BxB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsHxB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAwC7B;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAoCzB;;OAEG;IACH,OAAO,CAAC,eAAe;IA8BvB;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAoB7B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAiD1B"}
|
|
@@ -1343,6 +1343,14 @@ class PythonAnalyzer {
|
|
|
1343
1343
|
// Track function-level base indentation
|
|
1344
1344
|
let functionBaseIndent = 0;
|
|
1345
1345
|
let inFunction = false;
|
|
1346
|
+
// Track 'with' statement blocks (variables assigned inside persist after the block)
|
|
1347
|
+
const withBlocks = [];
|
|
1348
|
+
// Helper to check if we're inside a 'with' block
|
|
1349
|
+
const isInsideWithBlock = (currentIndent, currentLine) => {
|
|
1350
|
+
return withBlocks.some(block => currentLine > block.endLine && // After the 'with' line itself
|
|
1351
|
+
currentIndent > block.indent // Inside the block
|
|
1352
|
+
);
|
|
1353
|
+
};
|
|
1346
1354
|
lines.forEach((line, index) => {
|
|
1347
1355
|
const lineNumber = index + 1;
|
|
1348
1356
|
const trimmed = line.trim();
|
|
@@ -1364,17 +1372,25 @@ class PythonAnalyzer {
|
|
|
1364
1372
|
imports.add(importMatch[1]);
|
|
1365
1373
|
return;
|
|
1366
1374
|
}
|
|
1375
|
+
// Track 'with' statements (context managers)
|
|
1376
|
+
// Variables assigned inside 'with' blocks persist after the block
|
|
1377
|
+
if (trimmed.startsWith('with ')) {
|
|
1378
|
+
withBlocks.push({ indent, endLine: lineNumber });
|
|
1379
|
+
return;
|
|
1380
|
+
}
|
|
1367
1381
|
// Track variable assignments
|
|
1368
1382
|
const assignMatch = trimmed.match(/^(\w+)\s*=/);
|
|
1369
1383
|
if (assignMatch && inFunction) {
|
|
1370
1384
|
const varName = assignMatch[1];
|
|
1385
|
+
// Check if this assignment is inside a 'with' block
|
|
1386
|
+
const insideWithBlock = isInsideWithBlock(indent, lineNumber);
|
|
1371
1387
|
// Check if this assignment is inside a conditional block (higher indentation than function base)
|
|
1372
|
-
if (indent > functionBaseIndent + 4) {
|
|
1373
|
-
// Variable assigned inside conditional block (if/for/while/try)
|
|
1388
|
+
if (indent > functionBaseIndent + 4 && !insideWithBlock) {
|
|
1389
|
+
// Variable assigned inside conditional block (if/for/while/try) - might not be defined
|
|
1374
1390
|
conditionalVars.set(varName, { line: lineNumber, indent });
|
|
1375
1391
|
}
|
|
1376
1392
|
else {
|
|
1377
|
-
// Variable assigned at function level (safe)
|
|
1393
|
+
// Variable assigned at function level or inside 'with' block (safe)
|
|
1378
1394
|
definedVars.add(varName);
|
|
1379
1395
|
conditionalVars.delete(varName); // Remove from conditional tracking
|
|
1380
1396
|
}
|