create-qa-architect 5.13.6 → 5.14.0

package/.semgrep/defensive-patterns.yaml

@@ -0,0 +1,356 @@
+rules:
+  # =============================================================================
+  # Defensive Patterns Semgrep Rules (CS-090)
+  # =============================================================================
+  # Security-focused rules that complement ESLint defensive patterns.
+  # Run with: semgrep --config .semgrep/defensive-patterns.yaml
+  #
+  # These rules catch patterns that are difficult or impossible to detect
+  # with ESLint alone.
+  # =============================================================================
+
+  # ---------------------------------------------------------------------------
+  # PROTOTYPE POLLUTION
+  # ---------------------------------------------------------------------------
+  - id: prototype-pollution-json-parse
+    message: |
+      JSON.parse on user input can lead to prototype pollution if the parsed
+      object has __proto__ properties. Use a safe parse function that strips
+      dangerous properties.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: JSON.parse($REQ.body)
+      - pattern: JSON.parse($REQ.query.$PARAM)
+      - pattern: JSON.parse($REQ.params.$PARAM)
+      - pattern: JSON.parse(await $REQ.json())
+    metadata:
+      category: security
+      cwe: 'CWE-1321'
+      owasp: 'A03:2021'
+      references:
+        - https://portswigger.net/web-security/prototype-pollution
+
+  - id: prototype-pollution-object-assign
+    message: |
+      Object.assign with user-controlled input can lead to prototype pollution.
+      Sanitize input or use a safer merge function.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: Object.assign($OBJ, $REQ.body)
+      - pattern: Object.assign($OBJ, ...$USER_INPUT)
+    metadata:
+      category: security
+      cwe: 'CWE-1321'
+
+  - id: prototype-pollution-spread
+    message: |
+      Spreading user input directly into an object can lead to prototype
+      pollution. Validate keys before spreading.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern: '{ ...$REQ.body }'
+    metadata:
+      category: security
+      cwe: 'CWE-1321'
+
+  # ---------------------------------------------------------------------------
+  # SQL INJECTION
+  # ---------------------------------------------------------------------------
+  - id: sql-injection-template-string
+    message: |
+      SQL query built with template string containing user input. Use
+      parameterized queries instead.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: $DB.query(`...${$USER_INPUT}...`)
+      - pattern: $DB.raw(`...${$USER_INPUT}...`)
+      - pattern: $PRISMA.$queryRaw(`...${$USER_INPUT}...`)
+    metadata:
+      category: security
+      cwe: 'CWE-89'
+      owasp: 'A03:2021'
+
+  - id: sql-injection-string-concat
+    message: |
+      SQL query built with string concatenation. Use parameterized queries.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: $DB.query("..." + $USER_INPUT + "...")
+    metadata:
+      category: security
+      cwe: 'CWE-89'
+
+  # ---------------------------------------------------------------------------
+  # AUTHENTICATION BYPASS
+  # ---------------------------------------------------------------------------
+  - id: auth-bypass-or-condition
+    message: |
+      OR condition in authentication check may allow bypass. Use AND conditions
+      for security checks.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: if ($AUTH || $OTHER) { ... }
+      - pattern: |
+          $AUTH || $OTHER ? $TRUE : $FALSE
+    metadata:
+      category: security
+      cwe: 'CWE-287'
+
+  - id: auth-skip-on-dev
+    message: |
+      Authentication skipped in development mode. This pattern can accidentally
+      reach production. Use environment-specific auth instead.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: |
+          if (process.env.NODE_ENV !== "production") {
+            return $ALLOW;
+          }
+    metadata:
+      category: security
+      cwe: 'CWE-287'
+
+  # ---------------------------------------------------------------------------
+  # INSECURE RANDOMNESS
+  # ---------------------------------------------------------------------------
+  - id: insecure-random-token
+    message: |
+      Math.random() is not cryptographically secure. Use crypto.randomBytes()
+      or crypto.randomUUID() for tokens, IDs, and secrets.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: Math.random().toString($BASE)
+      - pattern: Math.random().toString($BASE).slice($N)
+      - pattern: Math.random().toString($BASE).substring($N)
+    metadata:
+      category: security
+      cwe: 'CWE-330'
+      fix: "Use crypto.randomBytes(32).toString('hex') or crypto.randomUUID()"
+
+  - id: insecure-random-array
+    message: |
+      Using Math.random() for shuffling or selection in security-sensitive
+      context. Use crypto.getRandomValues() instead.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern: Math.floor(Math.random() * $ARR.length)
+    metadata:
+      category: security
+      cwe: 'CWE-330'
+
+  # ---------------------------------------------------------------------------
+  # COMMAND INJECTION
+  # ---------------------------------------------------------------------------
+  # Note: These rules detect DANGEROUS patterns that should be flagged.
+  # The patterns below are what we want to WARN about, not examples to follow.
+
+  - id: command-injection-template
+    message: |
+      User input in shell command template string. Use child_process.execFile
+      with argument array or validate/escape input.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: child_process.execSync(`...${$USER_INPUT}...`)
+    metadata:
+      category: security
+      cwe: 'CWE-78'
+      owasp: 'A03:2021'
+      fix: 'Use execFile() with argument array instead of template strings'
+
+  - id: command-injection-shell-option
+    message: |
+      spawn() with shell: true can lead to command injection. Use shell: false
+      and pass arguments as array.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern: 'spawn($CMD, $ARGS, { ..., shell: true, ... })'
+    metadata:
+      category: security
+      cwe: 'CWE-78'
+
+  # ---------------------------------------------------------------------------
+  # PATH TRAVERSAL
+  # ---------------------------------------------------------------------------
+  - id: path-traversal-join
+    message: |
+      User input in path.join() without validation can lead to path traversal.
+      Validate that the result stays within intended directory.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: path.join($BASE, $REQ.params.$PARAM)
+      - pattern: path.join($BASE, $REQ.query.$PARAM)
+      - pattern: path.join($BASE, $USER_INPUT)
+    metadata:
+      category: security
+      cwe: 'CWE-22'
+
+  - id: path-traversal-resolve
+    message: |
+      path.resolve() with user input may escape intended directory. Use
+      path.join() and verify result with startsWith().
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern: path.resolve($USER_INPUT)
+    metadata:
+      category: security
+      cwe: 'CWE-22'
+
+  # ---------------------------------------------------------------------------
+  # HARDCODED SECRETS
+  # ---------------------------------------------------------------------------
+  - id: hardcoded-jwt-secret
+    message: |
+      JWT secret appears to be hardcoded. Use environment variables for secrets.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: jwt.sign($PAYLOAD, "...")
+      - pattern: jwt.verify($TOKEN, "...")
+    metadata:
+      category: security
+      cwe: 'CWE-798'
+
+  - id: hardcoded-api-key
+    message: |
+      API key appears to be hardcoded. Use environment variables for secrets.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: |
+          { ..., apiKey: "...", ... }
+      - pattern: |
+          headers: { ..., "x-api-key": "...", ... }
+    metadata:
+      category: security
+      cwe: 'CWE-798'
+
+  # ---------------------------------------------------------------------------
+  # UNSAFE DESERIALIZATION
+  # ---------------------------------------------------------------------------
+  - id: unsafe-eval
+    message: |
+      eval() with dynamic input is dangerous. Use safer alternatives.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: eval($USER_INPUT)
+      - pattern: new Function($USER_INPUT)
+    metadata:
+      category: security
+      cwe: 'CWE-95'
+
+  # ---------------------------------------------------------------------------
+  # MISSING SECURITY HEADERS
+  # ---------------------------------------------------------------------------
+  - id: cors-allow-all
+    message: |
+      CORS configured to allow all origins. This may expose APIs to
+      unauthorized cross-origin requests.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: |
+          cors({ origin: "*" })
+      - pattern: |
+          cors({ origin: true })
+      - pattern: |
+          res.setHeader("Access-Control-Allow-Origin", "*")
+    metadata:
+      category: security
+      cwe: 'CWE-942'
+
+  # ---------------------------------------------------------------------------
+  # DENIAL OF SERVICE
+  # ---------------------------------------------------------------------------
+  - id: unbounded-array-growth
+    message: |
+      Array grows unboundedly in loop. Add size limits to prevent memory
+      exhaustion.
+    severity: WARNING
+    languages:
+      - javascript
+      - typescript
+    pattern: |
+      while (...) {
+        ...
+        $ARR.push(...)
+        ...
+      }
+    metadata:
+      category: security
+      cwe: 'CWE-400'
+
+  # ---------------------------------------------------------------------------
+  # REACT SECURITY
+  # ---------------------------------------------------------------------------
+  - id: react-dangerous-html
+    message: |
+      dangerouslySetInnerHTML with user input can lead to XSS. Sanitize HTML
+      with DOMPurify or similar library.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-regex: "dangerouslySetInnerHTML\\s*=\\s*\\{\\{\\s*__html"
+    metadata:
+      category: security
+      cwe: 'CWE-79'
+      owasp: 'A07:2021'
+
+  - id: react-href-javascript
+    message: |
+      javascript: URLs in href can lead to XSS. Validate URLs or use
+      onClick handlers instead.
+    severity: ERROR
+    languages:
+      - javascript
+      - typescript
+    pattern-either:
+      - pattern: <a href={`javascript:${$CODE}`} />
+      - pattern: <a href="javascript:..." />
+    metadata:
+      category: security
+      cwe: 'CWE-79'

package/.semgrep/vibe-audit-rules.yaml

@@ -0,0 +1,332 @@
+rules:
+  # =============================================================================
+  # Vibe-Code Audit Rules
+  # =============================================================================
+  # Security patterns specifically common in AI-generated / vibe-coded apps.
+  # Complements defensive-patterns.yaml (which covers prototype pollution,
+  # SQL injection, command injection, path traversal, hardcoded secrets).
+  #
+  # Categories covered:
+  #   1. Auth & authorization gaps
+  #   2. Production misconfigs (debug mode, verbose errors, CORS)
+  #   3. Input validation gaps
+  #   4. XSS patterns
+  #   5. Insecure direct object reference (IDOR)
+  #   6. Sensitive data exposure
+  # =============================================================================
+
+  # ---------------------------------------------------------------------------
+  # AUTH & AUTHORIZATION
+  # ---------------------------------------------------------------------------
+
+  - id: client-side-auth-check
+    message: |
+      Authorization check found in client-side code. Checks that run only in
+      the browser can be bypassed. Move auth enforcement to the server/API layer.
+    severity: ERROR
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: |
+          if ($USER.role === $ROLE) {
+            ...
+          }
+      - pattern: |
+          if ($USER.isAdmin) {
+            ...
+          }
+    paths:
+      include:
+        - '*.tsx'
+        - '*.jsx'
+        - 'components/**'
+        - 'pages/**'
+        - 'app/**'
+    metadata:
+      category: security
+      cwe: 'CWE-602'
+      owasp: 'A01:2021'
+
+  - id: missing-auth-api-route
+    message: |
+      API route handler with no visible auth check. Vibe-coded routes often
+      skip auth middleware. Verify this route requires authentication.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: |
+          export default async function handler($REQ, $RES) {
+            ...
+            $RES.json(...)
+          }
+      - pattern: |
+          export async function GET($REQ) {
+            ...
+            return Response.json(...)
+          }
+      - pattern: |
+          router.get($PATH, async ($REQ, $RES) => {
+            ...
+            $RES.json(...)
+          })
+    paths:
+      include:
+        - 'pages/api/**'
+        - 'app/api/**'
+        - 'routes/**'
+        - 'src/pages/api/**'
+        - 'src/app/api/**'
+    metadata:
+      category: security
+      cwe: 'CWE-306'
+      owasp: 'A01:2021'
+      note: 'Confirm this route has auth middleware or session validation'
+
+  - id: hardcoded-admin-identity
+    message: |
+      Admin check against a hardcoded email or username string. This is fragile
+      and likely to break. Use role-based access control or a proper admin flag.
+    severity: ERROR
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: $EMAIL === "..."
+      - pattern: $USERNAME === "..."
+    paths:
+      include:
+        - 'pages/api/**'
+        - 'app/api/**'
+        - 'lib/**'
+        - 'server/**'
+    metadata:
+      category: security
+      cwe: 'CWE-798'
+
+  - id: jwt-no-expiry
+    message: |
+      JWT signed without an expiry option. Tokens that never expire are a
+      security risk — a stolen token grants permanent access. Set expiresIn.
+    severity: ERROR
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: jwt.sign($PAYLOAD, $SECRET)
+      - pattern: sign($PAYLOAD, $SECRET)
+    metadata:
+      category: security
+      cwe: 'CWE-613'
+      fix: "jwt.sign(payload, secret, { expiresIn: '24h' })"
+
+  - id: cookie-no-httponly
+    message: |
+      Cookie set without httpOnly flag. Cookies without httpOnly are readable
+      by JavaScript and vulnerable to theft via script injection.
+      Add httpOnly: true to the cookie options.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern: |
+      res.cookie($NAME, $VALUE, { ... })
+    metadata:
+      category: security
+      cwe: 'CWE-1004'
+      fix: "res.cookie(name, value, { httpOnly: true, secure: true, sameSite: 'strict' })"
+
+  # ---------------------------------------------------------------------------
+  # PRODUCTION MISCONFIGS
+  # ---------------------------------------------------------------------------
+
+  - id: debug-flag-hardcoded
+    message: |
+      Debug or development flag hardcoded to true. If this reaches production
+      it may expose stack traces, verbose logs, or disable security checks.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: 'debug: true'
+      - pattern: 'DEBUG: true'
+    metadata:
+      category: security
+      cwe: 'CWE-489'
+
+  - id: verbose-error-to-client
+    message: |
+      Full error message or stack trace sent back to the client. This exposes
+      internal implementation details. Return a generic message to the client
+      and log the full error server-side.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: 'res.status(500).json({ error: $ERR.message })'
+      - pattern: 'res.status(500).json({ error: $ERR })'
+      - pattern: 'res.status(500).json({ stack: $ERR.stack })'
+      - pattern: 'return Response.json({ error: $ERR.message }, { status: 500 })'
+    metadata:
+      category: security
+      cwe: 'CWE-209'
+      owasp: 'A05:2021'
+      fix: 'return res.status(500).json({ error: "Internal server error" })'
+
+  - id: console-log-credential
+    message: |
+      Logging a field that may be a credential (password, token, secret, key).
+      Console logs in production can appear in log aggregation services and
+      expose secrets. Remove this log or redact the sensitive field.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: console.log(..., $X.password, ...)
+      - pattern: console.log(..., $X.token, ...)
+      - pattern: console.log(..., $X.secret, ...)
+      - pattern: console.log(..., $X.apiKey, ...)
+      - pattern: console.log(..., $X.privateKey, ...)
+    metadata:
+      category: security
+      cwe: 'CWE-532'
+
+  - id: express-no-helmet
+    message: |
+      Express app created without helmet middleware. Helmet sets secure HTTP
+      response headers (X-Frame-Options, HSTS, CSP, etc.) automatically.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern: |
+      const $APP = express()
+      ...
+      $APP.use(...)
+    metadata:
+      category: security
+      cwe: 'CWE-693'
+      fix: "const helmet = require('helmet'); app.use(helmet())"
+
+  # ---------------------------------------------------------------------------
+  # XSS PATTERNS
+  # ---------------------------------------------------------------------------
+
+  - id: dynamic-html-assignment
+    message: |
+      Assigning dynamic content to an HTML property that interprets markup.
+      If the value contains user input this is a script injection vector.
+      Use textContent for plain text, or sanitize HTML before assignment.
+    severity: ERROR
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: $EL.innerHTML = $DATA
+      - pattern: document.getElementById($ID).innerHTML = $DATA
+    metadata:
+      category: security
+      cwe: 'CWE-79'
+      owasp: 'A03:2021'
+      fix: 'Use textContent for plain text or DOMPurify.sanitize() for HTML'
+
+  - id: dynamic-href-user-input
+    message: |
+      Anchor href set from a dynamic expression. If the value comes from user
+      input this can lead to open redirect or script injection via javascript:
+      URLs. Validate that the URL starts with https:// before use.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern: <a href={$DYNAMIC}>...</a>
+    metadata:
+      category: security
+      cwe: 'CWE-79'
+
+  # ---------------------------------------------------------------------------
+  # INPUT VALIDATION GAPS
+  # ---------------------------------------------------------------------------
+
+  - id: unvalidated-redirect
+    message: |
+      Redirect target taken directly from user input or query params.
+      Open redirects enable phishing. Validate the target against an allowlist
+      of permitted domains before redirecting.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: res.redirect($REQ.query.$PARAM)
+      - pattern: res.redirect($REQ.body.$FIELD)
+    metadata:
+      category: security
+      cwe: 'CWE-601'
+      owasp: 'A01:2021'
+
+  - id: file-upload-unchecked
+    message: |
+      File upload handling found with no MIME type or extension check visible.
+      Accepting arbitrary files can lead to code execution or storage abuse.
+      Validate file type using an allowlist before processing.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern: formData.get("file")
+    metadata:
+      category: security
+      cwe: 'CWE-434'
+      note: 'Verify file type is validated with a MIME type + extension allowlist'
+
+  # ---------------------------------------------------------------------------
+  # INSECURE DIRECT OBJECT REFERENCE (IDOR)
+  # ---------------------------------------------------------------------------
+
+  - id: idor-prisma-no-owner-filter
+    message: |
+      Prisma query by ID from request params with no user ownership filter.
+      Without filtering by the authenticated user's ID, any authenticated user
+      can read or modify other users' records. Add userId: session.user.id to
+      the where clause.
+    severity: ERROR
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: |
+          $DB.findUnique({ where: { id: $REQ.params.id } })
+      - pattern: |
+          $DB.findUnique({ where: { id: $REQ.query.id } })
+    metadata:
+      category: security
+      cwe: 'CWE-639'
+      owasp: 'A01:2021'
+      fix: 'findUnique({ where: { id: params.id, userId: session.user.id } })'
+
+  # ---------------------------------------------------------------------------
+  # SENSITIVE DATA EXPOSURE
+  # ---------------------------------------------------------------------------
+
+  - id: env-var-in-client-component
+    message: |
+      process.env access in a file that appears to be a client component.
+      Server-only env vars are not available in the browser. Expose only
+      NEXT_PUBLIC_ prefixed vars client-side, and never expose secrets.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern: process.env.$VAR
+    paths:
+      include:
+        - 'components/**'
+        - 'app/**/*.tsx'
+        - 'app/**/*.jsx'
+        - 'pages/**/*.tsx'
+        - 'pages/**/*.jsx'
+    metadata:
+      category: security
+      cwe: 'CWE-526'
+
+  - id: dynamic-require-variable
+    message: |
+      Dynamic require() with a variable path. If the path is influenced by
+      user input this can be exploited to load unexpected modules.
+    severity: ERROR
+    languages: [javascript, typescript]
+    pattern: require($VAR)
+    metadata:
+      category: security
+      cwe: 'CWE-706'
+
+  - id: bracket-notation-user-key
+    message: |
+      Object property accessed with user-controlled bracket notation.
+      If the key is "__proto__" or "constructor" this corrupts object prototypes.
+      Validate the key against an allowlist before use.
+    severity: WARNING
+    languages: [javascript, typescript]
+    pattern-either:
+      - pattern: $OBJ[$REQ.body.$FIELD]
+      - pattern: $OBJ[$REQ.query.$PARAM]
+      - pattern: $OBJ[$REQ.params.$PARAM]
+    metadata:
+      category: security
+      cwe: 'CWE-1321'