couchloop-eq-mcp 1.0.4 → 1.1.0

package/dist/developer/scanners/secret-scanner.js

@@ -0,0 +1,287 @@
+/**
+ * Secret Scanner
+ * Detects hardcoded secrets in code including:
+ * - API keys (AWS, OpenAI, Stripe, etc.)
+ * - Passwords
+ * - Private keys
+ * - Connection strings with credentials
+ * - Tokens and tokens
+ */
+export class SecretScanner {
+    vulnerabilities = [];
+    // Regex patterns for detecting different types of secrets
+    patterns = {
+        // AWS
+        awsAccessKey: /(?:aws_access_key_id|AKIA)[A-Z0-9]{16,}/gi,
+        awsSecretKey: /(?:aws_secret_access_key|aws_key)['\s=]*[A-Za-z0-9/+=]{40,}/gi,
+        // API Keys
+        openaiKey: /sk-[A-Za-z0-9\-_]{20,}/g,
+        stripeKey: /(?:sk_live|pk_live)_[A-Za-z0-9]{20,}/gi,
+        googleApiKey: /AIza[0-9A-Za-z\-_]{35}/g,
+        githubToken: /ghp_[A-Za-z0-9_]{36,255}/g,
+        digitalOceanToken: /dop_v1_[A-Za-z0-9_]{40,}/g,
+        // Connection Strings
+        mongodbUri: /mongodb\+?srv?:\/\/.+?:.+?@/gi,
+        postgresUri: /postgres(ql)?:\/\/.+?:.+?@/gi,
+        mysqlUri: /mysql:\/\/.+?:.+?@/gi,
+        // Private Keys
+        rsaPrivateKey: /-----BEGIN\s+(?:RSA\s+)?PRIVATE\s+KEY-----/gi,
+        opensshPrivateKey: /-----BEGIN\s+OPENSSH\s+PRIVATE\s+KEY-----/gi,
+        pgpPrivateKey: /-----BEGIN\s+PGP\s+PRIVATE\s+KEY-----/gi,
+        // JWT
+        jwtToken: /eyJ[A-Za-z0-9_\-]+\.eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+/g,
+        // Basic Passwords
+        passwordAssignment: /(?:password|passwd|pwd|secret)\s*[:=]\s*['\"`]([^'\"`;]+)['\"`]/gi,
+        hardcodedAdmin: /(?:password|passwd)\s*=\s*['\"](?:admin|Admin123|password|123456|password123)['\"]|\b(?:admin|root|sa|user)\s*=\s*['\"](?:admin|password|123456)['\"]|\b(?:password|secret)\s*=\s*['\"][^'\"]*(?:test|temp|demo|pass|secret)[^'\"]*['\"]/gi,
+    };
+    /**
+     * Scan code for hardcoded secrets
+     */
+    scan(code) {
+        this.vulnerabilities = [];
+        const lines = code.split('\n');
+        lines.forEach((line, idx) => {
+            const lineNum = idx + 1;
+            // Skip common safe patterns
+            if (this.isSafeIgnore(line))
+                return;
+            this.checkAwsKeys(line, lineNum);
+            this.checkApiKeys(line, lineNum);
+            this.checkConnectionStrings(line, lineNum);
+            this.checkPrivateKeys(line, lineNum);
+            this.checkPasswords(line, lineNum);
+            this.checkJwtTokens(line, lineNum);
+        });
+        return this.vulnerabilities;
+    }
+    /**
+     * Check if line should be ignored (comments, examples, etc.)
+     */
+    isSafeIgnore(line) {
+        const trimmed = line.trim();
+        // Skip comments
+        if (trimmed.startsWith('//') || trimmed.startsWith('#') || trimmed.startsWith('*')) {
+            return true;
+        }
+        // Skip test/example files with common patterns
+        if (line.includes('example') || line.includes('test') || line.includes('mock') || line.includes('fixture')) {
+            // Unless they're clearly real assignments
+            if (!line.includes('=') && !line.includes(':')) {
+                return true;
+            }
+        }
+        // Skip environment variable examples with placeholder values
+        if ((line.includes('process.env') || line.includes('process.getenv') || line.includes('os.getenv')) &&
+            (line.includes('YOUR_') || line.includes('your_') || line.includes('YOUR-') || line.includes('xxxx'))) {
+            return true;
+        }
+        return false;
+    }
+    /**
+     * Check for AWS keys
+     */
+    checkAwsKeys(line, lineNum) {
+        // AWS Access Key
+        const accessMatches = Array.from(line.matchAll(this.patterns.awsAccessKey));
+        for (const match of accessMatches) {
+            const code = match[0];
+            if (this.isCommentOrString(line, line.indexOf(code)))
+                continue;
+            const column = line.indexOf(code) + 1;
+            this.vulnerabilities.push({
+                type: 'HARDCODED_API_KEY',
+                severity: 'CRITICAL',
+                line: lineNum,
+                column: column,
+                code: code,
+                secretType: 'AWS Access Key ID',
+                secretPreview: code.substring(0, 8) + '...' + code.substring(code.length - 4),
+                issue: `Hardcoded AWS Access Key ID found: ${this.redact(code)}. This grants access to AWS resources.`,
+                cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                fix: `Use AWS IAM roles or credentials from environment:\n  import { AWS_SDK } from 'aws-sdk';\n  // Let AWS SDK load from env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY\n  // Or use IAM role in Lambda/EC2\n  const credentials = new AWS_SDK.Credentials(process.env.AWS_ACCESS_KEY_ID, process.env.AWS_SECRET_ACCESS_KEY);\n\nOr use AWS CLI config file:\n  ~/.aws/credentials or ~/.aws/config`
+            });
+        }
+        // AWS Secret Key
+        const secretMatches = Array.from(line.matchAll(this.patterns.awsSecretKey));
+        for (const match of secretMatches) {
+            const code = match[0];
+            if (this.isCommentOrString(line, line.indexOf(code)))
+                continue;
+            const column = line.indexOf(code) + 1;
+            this.vulnerabilities.push({
+                type: 'HARDCODED_API_KEY',
+                severity: 'CRITICAL',
+                line: lineNum,
+                column: column,
+                code: code,
+                secretType: 'AWS Secret Access Key',
+                secretPreview: code.substring(0, 8) + '...' + code.substring(code.length - 4),
+                issue: `Hardcoded AWS Secret Access Key found: ${this.redact(code)}. This grants full access to AWS resources.`,
+                cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                fix: `Use environment variables:\n  const awsSecret = process.env.AWS_SECRET_ACCESS_KEY;\n  if (!awsSecret) throw new Error('Missing AWS_SECRET_ACCESS_KEY');\n\nStore in .env (add .env to .gitignore):\n  AWS_ACCESS_KEY_ID=...\n  AWS_SECRET_ACCESS_KEY=...\n\nOr use AWS IAM roles (recommended for production).`
+            });
+        }
+    }
+    /**
+     * Check for API keys (OpenAI, Stripe, GitHub, etc.)
+     */
+    checkApiKeys(line, lineNum) {
+        const keyPatterns = [
+            { pattern: this.patterns.openaiKey, type: 'OpenAI API Key', name: 'OpenAI' },
+            { pattern: this.patterns.stripeKey, type: 'Stripe API Key', name: 'Stripe' },
+            { pattern: this.patterns.googleApiKey, type: 'Google API Key', name: 'Google' },
+            { pattern: this.patterns.githubToken, type: 'GitHub Personal Access Token', name: 'GitHub' },
+            { pattern: this.patterns.digitalOceanToken, type: 'DigitalOcean Token', name: 'DigitalOcean' },
+        ];
+        for (const { pattern, type, name } of keyPatterns) {
+            const matches = Array.from(line.matchAll(pattern));
+            for (const match of matches) {
+                const code = match[0];
+                if (this.isCommentOrString(line, line.indexOf(code)))
+                    continue;
+                const column = line.indexOf(code) + 1;
+                this.vulnerabilities.push({
+                    type: 'HARDCODED_API_KEY',
+                    severity: 'CRITICAL',
+                    line: lineNum,
+                    column: column,
+                    code: code,
+                    secretType: type,
+                    secretPreview: code.substring(0, 8) + '...' + code.substring(code.length - 4),
+                    issue: `Hardcoded ${type} found: ${this.redact(code)}. This allows unauthorized API access.`,
+                    cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                    fix: `Use environment variables:\n  const apiKey = process.env.${name.toUpperCase()}_API_KEY;\n  if (!apiKey) throw new Error('Missing ${name.toUpperCase()}_API_KEY');\n  const client = new ${name}Client({ apiKey });\n\nStore in .env file (add to .gitignore):\n  ${name.toUpperCase()}_API_KEY=sk-...\n\nFor deployment, use secrets management:\n  - GitHub Secrets (for CI/CD)\n  - AWS Secrets Manager\n  - Vercel Environment Variables\n  - HashiCorp Vault`
+                });
+            }
+        }
+    }
+    /**
+     * Check for connection strings with embedded credentials
+     */
+    checkConnectionStrings(line, lineNum) {
+        const connPatterns = [
+            { pattern: this.patterns.mongodbUri, type: 'MongoDB Connection String', name: 'MongoDB' },
+            { pattern: this.patterns.postgresUri, type: 'PostgreSQL Connection String', name: 'PostgreSQL' },
+            { pattern: this.patterns.mysqlUri, type: 'MySQL Connection String', name: 'MySQL' },
+        ];
+        for (const { pattern, type, name } of connPatterns) {
+            const matches = Array.from(line.matchAll(pattern));
+            for (const match of matches) {
+                const code = match[0];
+                if (this.isCommentOrString(line, line.indexOf(code)))
+                    continue;
+                const column = line.indexOf(code) + 1;
+                this.vulnerabilities.push({
+                    type: 'CONNECTION_STRING',
+                    severity: 'CRITICAL',
+                    line: lineNum,
+                    column: column,
+                    code: code,
+                    secretType: type,
+                    secretPreview: this.redact(code),
+                    issue: `Hardcoded ${type} with credentials: ${this.redact(code)}. Database credentials should never be in code.`,
+                    cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                    fix: `Use environment variables:\n  const dbUrl = process.env.DATABASE_URL;\n  if (!dbUrl) throw new Error('Missing DATABASE_URL');\n  const client = await new ${name}Client({ url: dbUrl });\n\nFormat for .env:\n  DATABASE_URL=${name.toLowerCase()}://user:password@host:port/database\n\nFor production, use:\n  - Vercel Environment Variables\n  - AWS RDS proxy with IAM auth\n  - Cloud provider secret managers`
+                });
+            }
+        }
+    }
+    /**
+     * Check for private keys in code
+     */
+    checkPrivateKeys(line, lineNum) {
+        if (line.includes('BEGIN PRIVATE KEY') || line.includes('BEGIN RSA PRIVATE KEY') ||
+            line.includes('BEGIN OPENSSH PRIVATE KEY') || line.includes('BEGIN PGP PRIVATE KEY')) {
+            const column = line.indexOf('BEGIN') + 1;
+            this.vulnerabilities.push({
+                type: 'PRIVATE_KEY',
+                severity: 'CRITICAL',
+                line: lineNum,
+                column: column,
+                code: line.substring(0, Math.min(line.length, 80)),
+                secretType: 'Private Key',
+                issue: `Private key found in code: ${line.substring(0, 40)}... This is a critical security issue.`,
+                cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                fix: `Never commit private keys. Instead:\n  1. Generate key pair\n  2. Store private key in secure location (e.g., ~/.ssh/id_rsa with 600 permissions)\n  3. Store public key or certificate in code\n  4. Load private key at runtime from secure location\n  5. Use key management services:\n     - AWS Secrets Manager\n     - HashiCorp Vault\n     - Azure Key Vault\n     - GitHub encrypted secrets\n  6. Use SSH agent for authentication\n\nIf accidentally committed:\n  1. Revoke the key immediately\n  2. git filter-branch or BFG to remove from history\n  3. Generate new key`
+            });
+        }
+    }
+    /**
+     * Check for hardcoded passwords
+     */
+    checkPasswords(line, lineNum) {
+        // Skip if it's a password field definition or validation
+        if (line.includes('password') && !line.includes('=') && !line.includes(':')) {
+            return;
+        }
+        const matches = Array.from(line.matchAll(this.patterns.passwordAssignment));
+        for (const match of matches) {
+            const code = match[0];
+            if (this.isCommentOrString(line, line.indexOf(code)))
+                continue;
+            const column = line.indexOf(code) + 1;
+            const passwordValue = match[1];
+            this.vulnerabilities.push({
+                type: 'HARDCODED_PASSWORD',
+                severity: 'CRITICAL',
+                line: lineNum,
+                column: column,
+                code: code,
+                secretType: 'Hardcoded Password',
+                secretPreview: this.redact(passwordValue || ''),
+                issue: `Hardcoded password found: ${code}. Passwords should never be in source code.`,
+                cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                fix: `Use environment variables:\n  const password = process.env.DB_PASSWORD;\n  if (!password) throw new Error('Missing DB_PASSWORD');\n  await db.connect({ username: 'user', password });\n\nFor authentication, use bcrypt for hashing:\n  import bcrypt from 'bcrypt';\n  const hashedPassword = await bcrypt.hash(password, 10);\n  await db.saveUser({ username, passwordHash: hashedPassword });\n\nFor verification:\n  const isValid = await bcrypt.compare(inputPassword, storedHash);`
+            });
+        }
+    }
+    /**
+     * Check for JWT tokens
+     */
+    checkJwtTokens(line, lineNum) {
+        // Skip if it's in a comment explaining JWT format
+        if (line.includes('//') && line.indexOf('//') < line.indexOf('eyJ')) {
+            return;
+        }
+        const matches = Array.from(line.matchAll(this.patterns.jwtToken));
+        for (const match of matches) {
+            const code = match[0];
+            if (this.isCommentOrString(line, line.indexOf(code)))
+                continue;
+            const column = line.indexOf(code) + 1;
+            this.vulnerabilities.push({
+                type: 'JWT_TOKEN',
+                severity: 'HIGH',
+                line: lineNum,
+                column: column,
+                code: code,
+                secretType: 'JWT Token',
+                secretPreview: code.substring(0, 20) + '...',
+                issue: `JWT token found in code: ${code.substring(0, 30)}... Token may contain sensitive information.`,
+                cwe: 'CWE-798: Use of Hard-Coded Credentials',
+                fix: `Never hardcode JWT tokens. Instead:\n  1. Generate tokens at runtime:\n     import jwt from 'jsonwebtoken';\n     const token = jwt.sign({ userId: user.id }, process.env.JWT_SECRET, { expiresIn: '1h' });\n  2. Store JWT_SECRET in environment variable (never in code):\n     const secret = process.env.JWT_SECRET;\n  3. Return token to client (not in code)\n  4. Client stores token (usually in secure httpOnly cookie)\n  5. Token expires and requires refresh`
+            });
+        }
+    }
+    /**
+     * Redact secret for safe display
+     */
+    redact(secret) {
+        if (secret.length <= 8)
+            return '***';
+        return secret.substring(0, 4) + '...' + secret.substring(secret.length - 4);
+    }
+    /**
+     * Check if position is inside a comment
+     */
+    isCommentOrString(line, position) {
+        const beforePos = line.substring(0, position);
+        // Simple heuristic: if there's a // before this position and no quotes after //, it's a comment
+        const commentIdx = beforePos.lastIndexOf('//');
+        if (commentIdx !== -1) {
+            return true;
+        }
+        return false;
+    }
+}
+//# sourceMappingURL=secret-scanner.js.map

package/dist/developer/scanners/secret-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-scanner.js","sourceRoot":"","sources":["../../../src/developer/scanners/secret-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAeH,MAAM,OAAO,aAAa;IAChB,eAAe,GAA0B,EAAE,CAAC;IAEpD,0DAA0D;IACzC,QAAQ,GAAG;QAC1B,MAAM;QACN,YAAY,EAAE,2CAA2C;QACzD,YAAY,EAAE,+DAA+D;QAE7E,WAAW;QACX,SAAS,EAAE,yBAAyB;QACpC,SAAS,EAAE,wCAAwC;QACnD,YAAY,EAAE,yBAAyB;QACvC,WAAW,EAAE,2BAA2B;QACxC,iBAAiB,EAAE,2BAA2B;QAE9C,qBAAqB;QACrB,UAAU,EAAE,+BAA+B;QAC3C,WAAW,EAAE,8BAA8B;QAC3C,QAAQ,EAAE,sBAAsB;QAEhC,eAAe;QACf,aAAa,EAAE,8CAA8C;QAC7D,iBAAiB,EAAE,6CAA6C;QAChE,aAAa,EAAE,yCAAyC;QAExD,MAAM;QACN,QAAQ,EAAE,0DAA0D;QAEpE,kBAAkB;QAClB,kBAAkB,EAAE,mEAAmE;QACvF,cAAc,EAAE,4OAA4O;KAC7P,CAAC;IAEF;;OAEG;IACH,IAAI,CAAC,IAAY;QACf,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC1B,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC;YAExB,4BAA4B;YAC5B,IAAI,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;gBAAE,OAAO;YAEpC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjC,IAAI,CAAC,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACjC,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3C,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACrC,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YACnC,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,IAAY;QAC/B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAE5B,gBAAgB;QAChB,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACnF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,+CAA+C;QAC/C,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAC3G,0CAA0C;YAC1C,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,6DAA6D;QAC7D,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAC/F,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YAC1G,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,IAAY,EAAE,OAAe;QAChD,iBAAiB;QACjB,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;QAC5E,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;gBACxB,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI;gBACV,UAAU,EAAE,mBAAmB;gBAC/B,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;gBAC7E,KAAK,EAAE,sCAAsC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC;gBACtG,GAAG,EAAE,wCAAwC;gBAC7C,GAAG,EAAE,gYAAgY;aACtY,CAAC,CAAC;QACL,CAAC;QAED,iBAAiB;QACjB,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;QAC5E,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;gBACxB,IAAI,EAAE,mBAAmB;gBACzB,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI;gBACV,UAAU,EAAE,uBAAuB;gBACnC,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;gBAC7E,KAAK,EAAE,0CAA0C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6CAA6C;gBAC/G,GAAG,EAAE,wCAAwC;gBAC7C,GAAG,EAAE,gTAAgT;aACtT,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACK,YAAY,CAAC,IAAY,EAAE,OAAe;QAChD,MAAM,WAAW,GAAG;YAClB,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC5E,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC5E,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC/E,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,EAAE,8BAA8B,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC5F,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,iBAAiB,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE,cAAc,EAAE;SAC/F,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAEnD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAEtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;oBACxB,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,IAAI;oBACV,UAAU,EAAE,IAAI;oBAChB,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;oBAC7E,KAAK,EAAE,aAAa,IAAI,WAAW,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC;oBAC5F,GAAG,EAAE,wCAAwC;oBAC7C,GAAG,EAAE,4DAA4D,IAAI,CAAC,WAAW,EAAE,sDAAsD,IAAI,CAAC,WAAW,EAAE,qCAAqC,IAAI,qEAAqE,IAAI,CAAC,WAAW,EAAE,4KAA4K;iBACxc,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,sBAAsB,CAAC,IAAY,EAAE,OAAe;QAC1D,MAAM,YAAY,GAAG;YACnB,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,IAAI,EAAE,SAAS,EAAE;YACzF,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,IAAI,EAAE,8BAA8B,EAAE,IAAI,EAAE,YAAY,EAAE;YAChG,EAAE,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,IAAI,EAAE,yBAAyB,EAAE,IAAI,EAAE,OAAO,EAAE;SACpF,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,YAAY,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAEnD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;oBAAE,SAAS;gBAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAEtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;oBACxB,IAAI,EAAE,mBAAmB;oBACzB,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,IAAI;oBACV,UAAU,EAAE,IAAI;oBAChB,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC;oBAChC,KAAK,EAAE,aAAa,IAAI,sBAAsB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iDAAiD;oBAChH,GAAG,EAAE,wCAAwC;oBAC7C,GAAG,EAAE,6JAA6J,IAAI,+DAA+D,IAAI,CAAC,WAAW,EAAE,oKAAoK;iBAC5Z,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,gBAAgB,CAAC,IAAY,EAAE,OAAe;QACpD,IAAI,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC;YAC5E,IAAI,CAAC,QAAQ,CAAC,2BAA2B,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;YAEzF,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAEzC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;gBACxB,IAAI,EAAE,aAAa;gBACnB,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAClD,UAAU,EAAE,aAAa;gBACzB,KAAK,EAAE,8BAA8B,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,wCAAwC;gBAClG,GAAG,EAAE,wCAAwC;gBAC7C,GAAG,EAAE,2jBAA2jB;aACjkB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,IAAY,EAAE,OAAe;QAClD,yDAAyD;QACzD,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5E,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAE5E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACtC,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YAE/B,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;gBACxB,IAAI,EAAE,oBAAoB;gBAC1B,QAAQ,EAAE,UAAU;gBACpB,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI;gBACV,UAAU,EAAE,oBAAoB;gBAChC,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAC;gBAC/C,KAAK,EAAE,6BAA6B,IAAI,6CAA6C;gBACrF,GAAG,EAAE,wCAAwC;gBAC7C,GAAG,EAAE,6dAA6d;aACne,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,IAAY,EAAE,OAAe;QAClD,kDAAkD;QAClD,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACpE,OAAO;QACT,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;QAElE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;gBAAE,SAAS;YAE/D,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAEtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;gBACxB,IAAI,EAAE,WAAW;gBACjB,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,IAAI;gBACV,UAAU,EAAE,WAAW;gBACvB,aAAa,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;gBAC5C,KAAK,EAAE,4BAA4B,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,8CAA8C;gBACtG,GAAG,EAAE,wCAAwC;gBAC7C,GAAG,EAAE,4cAA4c;aACld,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,MAAc;QAC3B,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC9E,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAY,EAAE,QAAgB;QACtD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAE9C,gGAAgG;QAChG,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/developer/scanners/sql-injection-detector.d.ts

@@ -0,0 +1,54 @@
+/**
+ * SQL Injection Detector
+ * Scans code for SQL injection vulnerabilities including:
+ * - String concatenation in queries
+ * - Unparameterized queries
+ * - Dynamic table/column names
+ * - Direct user input in SQL
+ */
+export interface SqlVulnerability {
+    type: 'SQL_INJECTION' | 'UNPARAMETERIZED_QUERY' | 'DYNAMIC_TABLE_NAME' | 'DYNAMIC_COLUMN_NAME';
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    line: number;
+    column: number;
+    code: string;
+    issue: string;
+    cwe: string;
+    fix: string;
+}
+export declare class SqlInjectionDetector {
+    private vulnerabilities;
+    /**
+     * Scan code for SQL injection vulnerabilities
+     */
+    scan(code: string): SqlVulnerability[];
+    /**
+     * Detect template literals with variables in SQL strings
+     * Pattern: `SELECT * FROM users WHERE id = ${variable}`
+     */
+    private checkStringConcatenation;
+    /**
+     * Detect unparameterized queries with + or concat()
+     * Pattern: "SELECT * FROM users WHERE id = " + id
+     */
+    private checkUnparameterizedQueries;
+    /**
+     * Detect dynamic table names
+     * Pattern: `SELECT * FROM ${tableName}`
+     */
+    private checkDynamicTableNames;
+    /**
+     * Detect dynamic column names
+     * Pattern: `SELECT ${columnName} FROM users`
+     */
+    private checkDynamicColumnNames;
+    /**
+     * Check if code looks like SQL
+     */
+    private isSqlLike;
+    /**
+     * Check if position is inside a comment or string
+     */
+    private isCommentOrString;
+}
+//# sourceMappingURL=sql-injection-detector.d.ts.map

package/dist/developer/scanners/sql-injection-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection-detector.d.ts","sourceRoot":"","sources":["../../../src/developer/scanners/sql-injection-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,eAAe,GAAG,uBAAuB,GAAG,oBAAoB,GAAG,qBAAqB,CAAC;IAC/F,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,oBAAoB;IAC/B,OAAO,CAAC,eAAe,CAA0B;IAEjD;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAetC;;;OAGG;IACH,OAAO,CAAC,wBAAwB;IA6BhC;;;OAGG;IACH,OAAO,CAAC,2BAA2B;IAoCnC;;;OAGG;IACH,OAAO,CAAC,sBAAsB;IA8B9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAqC/B;;OAEG;IACH,OAAO,CAAC,SAAS;IAMjB;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAK1B"}

package/dist/developer/scanners/sql-injection-detector.js

@@ -0,0 +1,174 @@
+/**
+ * SQL Injection Detector
+ * Scans code for SQL injection vulnerabilities including:
+ * - String concatenation in queries
+ * - Unparameterized queries
+ * - Dynamic table/column names
+ * - Direct user input in SQL
+ */
+export class SqlInjectionDetector {
+    vulnerabilities = [];
+    /**
+     * Scan code for SQL injection vulnerabilities
+     */
+    scan(code) {
+        this.vulnerabilities = [];
+        const lines = code.split('\n');
+        lines.forEach((line, idx) => {
+            const lineNum = idx + 1;
+            this.checkStringConcatenation(line, lineNum);
+            this.checkUnparameterizedQueries(line, lineNum);
+            this.checkDynamicTableNames(line, lineNum);
+            this.checkDynamicColumnNames(line, lineNum);
+        });
+        return this.vulnerabilities;
+    }
+    /**
+     * Detect template literals with variables in SQL strings
+     * Pattern: `SELECT * FROM users WHERE id = ${variable}`
+     */
+    checkStringConcatenation(line, lineNum) {
+        // Template literal with SQL - check for variable interpolation
+        const templatePattern = /`[^`]*\$\{[^}]+\}[^`]*`/g;
+        const matches = Array.from(line.matchAll(templatePattern));
+        for (const match of matches) {
+            const code = match[0];
+            // Check if it looks like SQL
+            if (this.isSqlLike(code)) {
+                const column = line.indexOf(code) + 1;
+                // Extract the variable name
+                const varMatch = code.match(/\$\{([^}]+)\}/);
+                const varName = varMatch ? varMatch[1] : 'variable';
+                this.vulnerabilities.push({
+                    type: 'SQL_INJECTION',
+                    severity: 'CRITICAL',
+                    line: lineNum,
+                    column: column,
+                    code: code,
+                    issue: `String interpolation in SQL query: ${code}. User input (${varName}) directly concatenated into SQL.`,
+                    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command',
+                    fix: `Use parameterized queries instead:\n  db.query('SELECT * FROM users WHERE id = ?', [${varName}])\n  Or with named parameters:\n  db.query('SELECT * FROM users WHERE id = $1', [${varName}])`
+                });
+            }
+        }
+    }
+    /**
+     * Detect unparameterized queries with + or concat()
+     * Pattern: "SELECT * FROM users WHERE id = " + id
+     */
+    checkUnparameterizedQueries(line, lineNum) {
+        // String concatenation patterns
+        const concatenationPatterns = [
+            // Double quotes with +
+            /"[^"]*"\s*\+\s*[^;]+/g,
+            // Single quotes with +
+            /'[^']*'\s*\+\s*[^;]+/g,
+            // concat() function
+            /concat\s*\([^)]*\)/gi,
+            // String.concat()
+            /\.concat\s*\([^)]*\)/g,
+        ];
+        for (const pattern of concatenationPatterns) {
+            const matches = Array.from(line.matchAll(pattern));
+            for (const match of matches) {
+                const code = match[0];
+                if (this.isSqlLike(code) && !this.isCommentOrString(line, line.indexOf(code))) {
+                    const column = line.indexOf(code) + 1;
+                    this.vulnerabilities.push({
+                        type: 'UNPARAMETERIZED_QUERY',
+                        severity: 'CRITICAL',
+                        line: lineNum,
+                        column: column,
+                        code: code,
+                        issue: `Unparameterized SQL query with string concatenation: ${code}. Values should be passed as parameters, not concatenated.`,
+                        cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command',
+                        fix: `Use parameterized query:\n  db.query('SELECT * FROM users WHERE id = ? AND name = ?', [id, name])\n  Instead of:\n  db.query("SELECT * FROM users WHERE id = " + id + " AND name = " + name)`
+                    });
+                }
+            }
+        }
+    }
+    /**
+     * Detect dynamic table names
+     * Pattern: `SELECT * FROM ${tableName}`
+     */
+    checkDynamicTableNames(line, lineNum) {
+        const patterns = [
+            /FROM\s+`?[^;]*\$\{[^}]+\}[^;]*`?/gi,
+            /FROM\s+\(?\s*[^;]*\$\{[^}]+\}[^;]*\)?/gi,
+            /FROM\s+\(\s*?["']?[^)]*\$\{[^}]+\}[^)]*["']?\s*\)/gi,
+        ];
+        for (const pattern of patterns) {
+            const matches = Array.from(line.matchAll(pattern));
+            for (const match of matches) {
+                const code = match[0];
+                const column = line.indexOf(code) + 1;
+                const varMatch = code.match(/\$\{([^}]+)\}/);
+                const varName = varMatch ? varMatch[1] : 'variable';
+                this.vulnerabilities.push({
+                    type: 'DYNAMIC_TABLE_NAME',
+                    severity: 'HIGH',
+                    line: lineNum,
+                    column: column,
+                    code: code,
+                    issue: `Dynamic table name in SQL: ${code}. Table name (${varName}) comes from user input, allowing table injection attacks.`,
+                    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command',
+                    fix: `Use identifier escaping or whitelist allowed tables:\n  const allowedTables = ['users', 'orders', 'products'];\n  if (!allowedTables.includes(tableName)) throw new Error('Invalid table');\n  const query = \`SELECT * FROM \\\"\${tableName}\\\"\`; // Quoted identifier\n  Or use an ORM that handles this safely.`
+                });
+            }
+        }
+    }
+    /**
+     * Detect dynamic column names
+     * Pattern: `SELECT ${columnName} FROM users`
+     */
+    checkDynamicColumnNames(line, lineNum) {
+        const patterns = [
+            /SELECT\s+[^;]*\$\{[^}]+\}[^;]*/gi,
+            /ORDER\s+BY\s+[^;]*\$\{[^}]+\}[^;]*/gi,
+            /WHERE\s+[^;]*\$\{[^}]+\}[^;]*/gi,
+        ];
+        for (const pattern of patterns) {
+            const matches = Array.from(line.matchAll(pattern));
+            for (const match of matches) {
+                const code = match[0];
+                // Skip if it's in VALUES clause (less critical)
+                if (code.includes('VALUES'))
+                    continue;
+                // Skip if it looks like a parameter placeholder
+                if (code.includes('?') || code.includes('$1'))
+                    continue;
+                const column = line.indexOf(code) + 1;
+                const varMatch = code.match(/\$\{([^}]+)\}/);
+                const varName = varMatch ? varMatch[1] : 'variable';
+                this.vulnerabilities.push({
+                    type: 'DYNAMIC_COLUMN_NAME',
+                    severity: 'MEDIUM',
+                    line: lineNum,
+                    column: column,
+                    code: code,
+                    issue: `Dynamic column name in SQL: ${code}. Column name (${varName}) from user input could allow column-based injection attacks.`,
+                    cwe: 'CWE-89: Improper Neutralization of Special Elements used in an SQL Command',
+                    fix: `Use identifier escaping or whitelist allowed columns:\n  const allowedColumns = ['id', 'name', 'email'];\n  if (!allowedColumns.includes(columnName)) throw new Error('Invalid column');\n  const query = \`SELECT \\\"\${columnName}\\\", * FROM users\`; // Quoted identifier\n  Or use an ORM's dynamic select methods.`
+                });
+            }
+        }
+    }
+    /**
+     * Check if code looks like SQL
+     */
+    isSqlLike(code) {
+        const sqlKeywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'FROM', 'WHERE', 'JOIN', 'ORDER', 'GROUP', 'UNION'];
+        const upperCode = code.toUpperCase();
+        return sqlKeywords.some(keyword => upperCode.includes(keyword));
+    }
+    /**
+     * Check if position is inside a comment or string
+     */
+    isCommentOrString(line, position) {
+        // Simple check - look for comment markers before position
+        const beforePos = line.substring(0, position);
+        return beforePos.includes('//') || beforePos.includes('/*');
+    }
+}
+//# sourceMappingURL=sql-injection-detector.js.map

package/dist/developer/scanners/sql-injection-detector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sql-injection-detector.js","sourceRoot":"","sources":["../../../src/developer/scanners/sql-injection-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAaH,MAAM,OAAO,oBAAoB;IACvB,eAAe,GAAuB,EAAE,CAAC;IAEjD;;OAEG;IACH,IAAI,CAAC,IAAY;QACf,IAAI,CAAC,eAAe,GAAG,EAAE,CAAC;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;YAC1B,MAAM,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC;YACxB,IAAI,CAAC,wBAAwB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC7C,IAAI,CAAC,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAChD,IAAI,CAAC,sBAAsB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC3C,IAAI,CAAC,uBAAuB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC,eAAe,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACK,wBAAwB,CAAC,IAAY,EAAE,OAAe;QAC5D,+DAA+D;QAC/D,MAAM,eAAe,GAAG,0BAA0B,CAAC;QACnD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CAAC;QAE3D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,6BAA6B;YAC7B,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;gBACzB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAEtC,4BAA4B;gBAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;gBAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;gBAEpD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;oBACxB,IAAI,EAAE,eAAe;oBACrB,QAAQ,EAAE,UAAU;oBACpB,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,IAAI;oBACV,KAAK,EAAE,sCAAsC,IAAI,iBAAiB,OAAO,mCAAmC;oBAC5G,GAAG,EAAE,4EAA4E;oBACjF,GAAG,EAAE,uFAAuF,OAAO,qFAAqF,OAAO,IAAI;iBACpM,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,2BAA2B,CAAC,IAAY,EAAE,OAAe;QAC/D,gCAAgC;QAChC,MAAM,qBAAqB,GAAG;YAC5B,uBAAuB;YACvB,uBAAuB;YACvB,uBAAuB;YACvB,uBAAuB;YACvB,oBAAoB;YACpB,sBAAsB;YACtB,kBAAkB;YAClB,uBAAuB;SACxB,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,qBAAqB,EAAE,CAAC;YAC5C,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAEnD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;oBAC9E,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBAEtC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;wBACxB,IAAI,EAAE,uBAAuB;wBAC7B,QAAQ,EAAE,UAAU;wBACpB,IAAI,EAAE,OAAO;wBACb,MAAM,EAAE,MAAM;wBACd,IAAI,EAAE,IAAI;wBACV,KAAK,EAAE,wDAAwD,IAAI,4DAA4D;wBAC/H,GAAG,EAAE,4EAA4E;wBACjF,GAAG,EAAE,8LAA8L;qBACpM,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,sBAAsB,CAAC,IAAY,EAAE,OAAe;QAC1D,MAAM,QAAQ,GAAG;YACf,oCAAoC;YACpC,yCAAyC;YACzC,qDAAqD;SACtD,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAEnD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;gBAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;gBAEpD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;oBACxB,IAAI,EAAE,oBAAoB;oBAC1B,QAAQ,EAAE,MAAM;oBAChB,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,IAAI;oBACV,KAAK,EAAE,8BAA8B,IAAI,iBAAiB,OAAO,4DAA4D;oBAC7H,GAAG,EAAE,4EAA4E;oBACjF,GAAG,EAAE,uTAAuT;iBAC7T,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;OAGG;IACK,uBAAuB,CAAC,IAAY,EAAE,OAAe;QAC3D,MAAM,QAAQ,GAAG;YACf,kCAAkC;YAClC,sCAAsC;YACtC,iCAAiC;SAClC,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;YAEnD,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,gDAAgD;gBAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAAE,SAAS;gBAEtC,gDAAgD;gBAChD,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAExD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;gBAC7C,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;gBAEpD,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC;oBACxB,IAAI,EAAE,qBAAqB;oBAC3B,QAAQ,EAAE,QAAQ;oBAClB,IAAI,EAAE,OAAO;oBACb,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,IAAI;oBACV,KAAK,EAAE,+BAA+B,IAAI,kBAAkB,OAAO,+DAA+D;oBAClI,GAAG,EAAE,4EAA4E;oBACjF,GAAG,EAAE,4TAA4T;iBAClU,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,IAAY;QAC5B,MAAM,WAAW,GAAG,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACjH,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QACrC,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IAClE,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAY,EAAE,QAAgB;QACtD,0DAA0D;QAC1D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;QAC9C,OAAO,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC9D,CAAC;CACF"}

package/dist/developer/scanners/xss-detector.d.ts

@@ -0,0 +1,60 @@
+/**
+ * XSS (Cross-Site Scripting) Detector
+ * Scans code for XSS vulnerabilities including:
+ * - innerHTML usage with untrusted data
+ * - Unescaped user input in DOM
+ * - eval() and similar dangerous functions
+ * - Dangerous DOM manipulation patterns
+ */
+export interface XssVulnerability {
+    type: 'INNERHTML_XSS' | 'EVAL_XSS' | 'UNESCAPED_DOM' | 'DANGEROUS_DOM_METHOD' | 'REACT_DANGEROUSHTML';
+    severity: 'CRITICAL' | 'HIGH' | 'MEDIUM';
+    line: number;
+    column: number;
+    code: string;
+    issue: string;
+    cwe: string;
+    fix: string;
+}
+export declare class XssDetector {
+    private vulnerabilities;
+    /**
+     * Scan code for XSS vulnerabilities
+     */
+    scan(code: string): XssVulnerability[];
+    /**
+     * Detect innerHTML usage with variables or user input
+     * Pattern: element.innerHTML = userInput
+     * Pattern: element.innerHTML = `content ${userVar}`
+     */
+    private checkInnerHtmlUsage;
+    /**
+     * Detect eval() and similar dangerous functions
+     * Pattern: eval(userInput)
+     * Pattern: Function(userInput)
+     * Pattern: setTimeout(userInput)
+     */
+    private checkEvalUsage;
+    /**
+     * Detect unescaped DOM manipulation
+     * Pattern: element.insertAdjacentHTML('beforeend', userInput)
+     * Pattern: document.write(userInput)
+     */
+    private checkUnescapedDomManipulation;
+    /**
+     * Detect dangerous DOM methods
+     * Pattern: element.click(userEvent)
+     * Pattern: element.setAttribute('onclick', userInput)
+     */
+    private checkDangerousDomMethods;
+    /**
+     * Detect React dangerouslySetInnerHTML usage
+     * Pattern: dangerouslySetInnerHTML={{ __html: userInput }}
+     */
+    private checkReactDangerousHtml;
+    /**
+     * Check if position is inside a comment or string
+     */
+    private isCommentOrString;
+}
+//# sourceMappingURL=xss-detector.d.ts.map

package/dist/developer/scanners/xss-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xss-detector.d.ts","sourceRoot":"","sources":["../../../src/developer/scanners/xss-detector.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,eAAe,GAAG,UAAU,GAAG,eAAe,GAAG,sBAAsB,GAAG,qBAAqB,CAAC;IACtG,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;CACb;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,eAAe,CAA0B;IAEjD;;OAEG;IACH,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAgBtC;;;;OAIG;IACH,OAAO,CAAC,mBAAmB;IAuC3B;;;;;OAKG;IACH,OAAO,CAAC,cAAc;IAgDtB;;;;OAIG;IACH,OAAO,CAAC,6BAA6B;IA6CrC;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;IA8BhC;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IA6B/B;;OAEG;IACH,OAAO,CAAC,iBAAiB;CAI1B"}