dravix-agent 0.1.0

package/data/vulnkb.json

@@ -0,0 +1,666 @@
+{
+  "$schema_version": 1,
+  "$comment": "Aegis-v2 Vul-RAG knowledge base. Each entry: a known CWE with one canonical vulnerable pattern and the fixed counterpart, drawn from MITRE/OWASP/CVEfixes. The vulnerable_pattern field is what we EMBED for retrieval. fix_pattern is what the LLM critic shows when suggesting remediation. Languages covered: Python, JavaScript, TypeScript, Go. Curated, not auto-generated. Last review: 2026-05-25.",
+  "entries": [
+    {
+      "cwe": "CWE-89",
+      "name": "SQL Injection",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "User-controlled input is concatenated into a SQL query string instead of bound as a parameter.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "def get_user(name):\n    conn = sqlite3.connect('db')\n    cur = conn.cursor()\n    cur.execute(f\"SELECT * FROM users WHERE name='{name}'\")\n    return cur.fetchall()",
+      "fix_pattern": "def get_user(name):\n    conn = sqlite3.connect('db')\n    cur = conn.cursor()\n    cur.execute('SELECT * FROM users WHERE name = ?', (name,))\n    return cur.fetchall()",
+      "detection_hints": ["f-string in execute(", "string concatenation with SELECT/INSERT/UPDATE", ".format() inside execute(", "${var} inside raw SQL template"]
+    },
+    {
+      "cwe": "CWE-78",
+      "name": "OS Command Injection",
+      "category": "api_misuse",
+      "severity": "critical",
+      "cause": "User input is passed to a shell with shell=True or concatenated into os.system / exec / spawn.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "def run_cmd(user_arg):\n    os.system('ls ' + user_arg)",
+      "fix_pattern": "def run_cmd(user_arg):\n    subprocess.run(['ls', user_arg], check=True, shell=False)",
+      "detection_hints": ["os.system(", "subprocess with shell=True", "child_process.exec(", "string concat into command"]
+    },
+    {
+      "cwe": "CWE-79",
+      "name": "Cross-site Scripting (XSS)",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "User input is rendered to HTML without escaping, allowing attacker-controlled <script>.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "function render(comment) {\n  document.getElementById('out').innerHTML = '<div>' + comment + '</div>';\n}",
+      "fix_pattern": "function render(comment) {\n  const div = document.createElement('div');\n  div.textContent = comment;\n  document.getElementById('out').replaceChildren(div);\n}",
+      "detection_hints": ["innerHTML with user data", "dangerouslySetInnerHTML", "Markup() with user input", "|safe filter in Jinja"]
+    },
+    {
+      "cwe": "CWE-22",
+      "name": "Path Traversal",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "User-controlled path joined with a base directory without normalising + checking containment.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "def read_user_file(name):\n    with open('/data/users/' + name, 'r') as f:\n        return f.read()",
+      "fix_pattern": "from pathlib import Path\n\ndef read_user_file(name):\n    base = Path('/data/users').resolve()\n    target = (base / name).resolve()\n    if not str(target).startswith(str(base) + os.sep):\n        raise ValueError('path escapes base')\n    return target.read_text()",
+      "detection_hints": ["open(base + user_input)", "path.join with raw user input", "fs.readFile(req.params.x)", "filepath.Join without filepath.Clean"]
+    },
+    {
+      "cwe": "CWE-918",
+      "name": "Server-Side Request Forgery (SSRF)",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Server fetches a URL whose host is attacker-controlled, exposing internal services.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "async function fetchUrl(req) {\n  const r = await fetch(req.body.url);\n  return r.text();\n}",
+      "fix_pattern": "import ipaddress, urllib.parse\n\nALLOWED = {'api.example.com'}\n\nasync def fetchUrl(req):\n    u = urllib.parse.urlparse(req.body.url)\n    if u.hostname not in ALLOWED: raise ValueError('host blocked')\n    return (await httpx.get(req.body.url)).text",
+      "detection_hints": ["fetch(req.body.x)", "requests.get(user_url)", "http.Get(userURL)", "no allowlist check"]
+    },
+    {
+      "cwe": "CWE-94",
+      "name": "Code Injection via eval/exec",
+      "category": "api_misuse",
+      "severity": "critical",
+      "cause": "User input reaches eval()/exec()/Function()/setTimeout(string) and is executed as code.",
+      "languages": ["python", "javascript", "typescript"],
+      "vulnerable_pattern": "function calc(formula) {\n  return eval(formula);\n}",
+      "fix_pattern": "// Use a real expression parser (e.g. mathjs) instead of eval.\nimport { evaluate } from 'mathjs';\nfunction calc(formula) {\n  return evaluate(formula);\n}",
+      "detection_hints": ["eval(", "Function('return ' + x)(", "setTimeout(string, ...)", "exec(user_input)"]
+    },
+    {
+      "cwe": "CWE-502",
+      "name": "Deserialization of Untrusted Data",
+      "category": "api_misuse",
+      "severity": "critical",
+      "cause": "pickle.loads / yaml.load / unserialize on data the attacker can supply executes arbitrary code.",
+      "languages": ["python", "javascript", "typescript"],
+      "vulnerable_pattern": "def from_session(blob):\n    return pickle.loads(blob)",
+      "fix_pattern": "def from_session(blob):\n    return json.loads(blob)  # or a typed schema (pydantic) over JSON",
+      "detection_hints": ["pickle.loads(", "yaml.load(  # without SafeLoader", "marshal.loads(", "node-serialize.unserialize"]
+    },
+    {
+      "cwe": "CWE-352",
+      "name": "Cross-Site Request Forgery (CSRF)",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "State-changing endpoint accepts cookies but has no CSRF token / SameSite protection.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "app.post('/transfer', (req, res) => {\n  doTransfer(req.session.user, req.body.amount);\n  res.send('ok');\n});",
+      "fix_pattern": "import csurf from 'csurf';\nconst csrf = csurf({ cookie: { sameSite: 'strict', httpOnly: true } });\napp.post('/transfer', csrf, (req, res) => { /* … */ });",
+      "detection_hints": ["state-changing POST without CSRF middleware", "missing SameSite cookie", "no double-submit token"]
+    },
+    {
+      "cwe": "CWE-611",
+      "name": "XML External Entity (XXE)",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "XML parser configured to resolve external entities; attacker reads local files or SSRFs.",
+      "languages": ["python", "javascript", "typescript"],
+      "vulnerable_pattern": "from xml.etree import ElementTree as ET\nroot = ET.fromstring(user_xml)",
+      "fix_pattern": "from defusedxml.ElementTree import fromstring\nroot = fromstring(user_xml)",
+      "detection_hints": ["xml.etree.ElementTree.fromstring on user input", "libxml2 without DTDLOAD off"]
+    },
+    {
+      "cwe": "CWE-601",
+      "name": "Open Redirect",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Redirect target taken from user input without allowlisting.",
+      "languages": ["javascript", "typescript", "python", "go"],
+      "vulnerable_pattern": "app.get('/login/cb', (req, res) => {\n  res.redirect(req.query.next);\n});",
+      "fix_pattern": "const ALLOW = new Set(['/home', '/profile']);\napp.get('/login/cb', (req, res) => {\n  const next = String(req.query.next || '/home');\n  res.redirect(ALLOW.has(next) ? next : '/home');\n});",
+      "detection_hints": ["res.redirect(req.query.x)", "Location header from user input"]
+    },
+    {
+      "cwe": "CWE-287",
+      "name": "Improper Authentication",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Auth check uses == on secrets (timing-leak) or falls back to anonymous when token absent.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "def check_token(presented, expected):\n    return presented == expected",
+      "fix_pattern": "import hmac\n\ndef check_token(presented, expected):\n    return hmac.compare_digest(presented.encode(), expected.encode())",
+      "detection_hints": ["== between tokens/HMAC", "missing auth check fallback to user", "if not token: pass"]
+    },
+    {
+      "cwe": "CWE-285",
+      "name": "Improper Authorization",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Endpoint authenticates the user but never checks if they are AUTHORISED for the specific resource.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "@app.get('/orders/{order_id}')\ndef get_order(order_id, user=Depends(current_user)):\n    return db.orders.find_one({'id': order_id})",
+      "fix_pattern": "@app.get('/orders/{order_id}')\ndef get_order(order_id, user=Depends(current_user)):\n    o = db.orders.find_one({'id': order_id})\n    if o['user_id'] != user.id and not user.is_admin:\n        raise HTTPException(403)\n    return o",
+      "detection_hints": ["resource fetch without owner check", "{id} from URL passed straight to DB"]
+    },
+    {
+      "cwe": "CWE-862",
+      "name": "Missing Authorization",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Sensitive route has no auth decorator at all.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "@app.delete('/admin/users/{id}')\ndef delete_user(id):\n    db.users.delete_one({'id': id})",
+      "fix_pattern": "@app.delete('/admin/users/{id}')\ndef delete_user(id, user=Depends(require_admin)):\n    db.users.delete_one({'id': id})",
+      "detection_hints": ["admin/destructive route without auth middleware", "no @login_required"]
+    },
+    {
+      "cwe": "CWE-863",
+      "name": "Incorrect Authorization (default-allow)",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Authorisation flag defaults to a permissive value (e.g. is_admin = True by default).",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "class User(BaseModel):\n    id: int\n    name: str\n    is_superuser: bool = True",
+      "fix_pattern": "class User(BaseModel):\n    id: int\n    name: str\n    is_superuser: bool = False  # default-DENY",
+      "detection_hints": ["= True default on permission/role field", "default admin role", "open-by-default flag"]
+    },
+    {
+      "cwe": "CWE-798",
+      "name": "Hardcoded Credentials",
+      "category": "api_misuse",
+      "severity": "critical",
+      "cause": "API keys, passwords, or tokens are literal string constants in source.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "const STRIPE_KEY = 'sk_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345678';",
+      "fix_pattern": "const STRIPE_KEY = process.env.STRIPE_KEY!;\nif (!STRIPE_KEY) throw new Error('STRIPE_KEY env var required');",
+      "detection_hints": ["literal API/secret keys assigned to constants", "AKIA…/ghp_…/sk_live_… in source"]
+    },
+    {
+      "cwe": "CWE-321",
+      "name": "Hardcoded Cryptographic Key",
+      "category": "api_misuse",
+      "severity": "critical",
+      "cause": "Symmetric/asymmetric key embedded in source; rotating requires a code change.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "const SECRET = 'my-jwt-signing-key-12345';\njwt.sign({ user }, SECRET);",
+      "fix_pattern": "const SECRET = process.env.JWT_SECRET!;  // rotate by changing env, not code\njwt.sign({ user }, SECRET);",
+      "detection_hints": ["BEGIN PRIVATE KEY in source", "literal HMAC/JWT secret"]
+    },
+    {
+      "cwe": "CWE-327",
+      "name": "Broken Cryptographic Algorithm",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Uses MD5/SHA1 for security-sensitive purposes; uses DES/3DES; uses ECB mode.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "import hashlib\nh = hashlib.md5(password.encode()).hexdigest()",
+      "fix_pattern": "import bcrypt\nh = bcrypt.hashpw(password.encode(), bcrypt.gensalt())",
+      "detection_hints": ["hashlib.md5(", "hashlib.sha1( for security", "Cipher.getInstance('DES')", "AES.MODE_ECB"]
+    },
+    {
+      "cwe": "CWE-330",
+      "name": "Insufficient Randomness",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Math.random / random.random / rand() used for tokens / passwords / session ids.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "function newSessionId() {\n  return Math.random().toString(36).slice(2);\n}",
+      "fix_pattern": "import crypto from 'node:crypto';\nfunction newSessionId() {\n  return crypto.randomBytes(32).toString('base64url');\n}",
+      "detection_hints": ["Math.random for token/session", "random.random for secret", "rand() for crypto"]
+    },
+    {
+      "cwe": "CWE-209",
+      "name": "Information Exposure via Error Message",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Stack traces / DB errors returned to the client.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "app.use((err, req, res, _next) => {\n  res.status(500).send(err.stack);\n});",
+      "fix_pattern": "app.use((err, req, res, _next) => {\n  log.error(err);\n  res.status(500).send('internal error');\n});",
+      "detection_hints": ["err.stack in HTTP response", "traceback returned to client"]
+    },
+    {
+      "cwe": "CWE-532",
+      "name": "Sensitive Data Written to Logs",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Passwords / tokens / PII written to application logs.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "log.info('user login', { email, password });",
+      "fix_pattern": "log.info('user login', { email });  // never log raw passwords/tokens",
+      "detection_hints": ["log\\.\\w+\\(.*password", "console.log of req.body", "JSON.stringify(user)"]
+    },
+    {
+      "cwe": "CWE-200",
+      "name": "Exposure of Sensitive Information",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Endpoint returns more data than the consumer needs (full user record with hash).",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "@app.get('/me')\ndef me(user=Depends(current_user)):\n    return user.dict()  # includes password_hash, recovery_token, ...",
+      "fix_pattern": "class MeOut(BaseModel):\n    id: int\n    name: str\n    email: str\n\n@app.get('/me', response_model=MeOut)\ndef me(user=Depends(current_user)):\n    return user",
+      "detection_hints": ["return user.dict() of internal model", "no response_model schema"]
+    },
+    {
+      "cwe": "CWE-20",
+      "name": "Improper Input Validation",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Server trusts the shape / range / type of inbound data.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "app.post('/users', (req, res) => {\n  db.users.insert(req.body);  // ANY shape accepted\n});",
+      "fix_pattern": "const NewUser = z.object({ email: z.string().email(), name: z.string().max(80) });\napp.post('/users', (req, res) => {\n  const u = NewUser.parse(req.body);\n  db.users.insert(u);\n});",
+      "detection_hints": ["db insert of raw req.body", "no schema parse/validation"]
+    },
+    {
+      "cwe": "CWE-915",
+      "name": "Mass Assignment",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Object updated by spreading user input — attacker can set is_admin / balance / etc.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "app.patch('/me', (req, res) => {\n  Object.assign(user, req.body);\n  user.save();\n});",
+      "fix_pattern": "app.patch('/me', (req, res) => {\n  const allowed = ['displayName', 'avatarUrl'];\n  for (const k of allowed) if (req.body[k] !== undefined) user[k] = req.body[k];\n  user.save();\n});",
+      "detection_hints": ["Object.assign(user, req.body)", "user.update(**body)"]
+    },
+    {
+      "cwe": "CWE-190",
+      "name": "Integer Overflow / Wraparound",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Arithmetic on user-controlled integers overflows the language's int width (Go int32, JS bit-ops).",
+      "languages": ["go", "javascript", "typescript"],
+      "vulnerable_pattern": "func totalPrice(unitCents, qty int32) int32 {\n  return unitCents * qty\n}",
+      "fix_pattern": "func totalPrice(unitCents, qty int32) (int32, error) {\n  v := int64(unitCents) * int64(qty)\n  if v > math.MaxInt32 || v < math.MinInt32 { return 0, errors.New(\"overflow\") }\n  return int32(v), nil\n}",
+      "detection_hints": ["unbounded multiplication of user input", "int32 arithmetic without bound check"]
+    },
+    {
+      "cwe": "CWE-369",
+      "name": "Division by Zero",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Divisor can be 0 because the validation was only on the numerator.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "def average(values):\n    return sum(values) / len(values)",
+      "fix_pattern": "def average(values):\n    if not values: return 0\n    return sum(values) / len(values)",
+      "detection_hints": ["a / b without checking b == 0", "len(x) in denominator"]
+    },
+    {
+      "cwe": "CWE-476",
+      "name": "Null / Undefined Dereference",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Optional value used without checking for null/undefined.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "function pickEmail(user) {\n  return user.profile.contact.email;\n}",
+      "fix_pattern": "function pickEmail(user) {\n  return user?.profile?.contact?.email ?? null;\n}",
+      "detection_hints": ["chained .x.y without ?.", "*p without nil check in Go"]
+    },
+    {
+      "cwe": "CWE-754",
+      "name": "Missing Check for Unusual Conditions",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Return value of a fallible call is not inspected.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "func write(path string, data []byte) {\n  os.WriteFile(path, data, 0644)\n}",
+      "fix_pattern": "func write(path string, data []byte) error {\n  if err := os.WriteFile(path, data, 0644); err != nil {\n    return err\n  }\n  return nil\n}",
+      "detection_hints": ["unreturned err in Go", "promise without await/catch"]
+    },
+    {
+      "cwe": "CWE-755",
+      "name": "Improper Handling of Exceptional Conditions",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Bare except / catch swallows errors without logging.",
+      "languages": ["python", "javascript", "typescript"],
+      "vulnerable_pattern": "try:\n    do_work()\nexcept Exception:\n    pass",
+      "fix_pattern": "try:\n    do_work()\nexcept SomeKnownError as exc:\n    log.warning('work failed', exc_info=exc)\n    raise",
+      "detection_hints": ["bare except: pass", "catch(e) {} empty", "swallowed promise rejection"]
+    },
+    {
+      "cwe": "CWE-682",
+      "name": "Incorrect Calculation",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Math used for money / discounts / tax has wrong operator order or float-for-currency.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "function totalAfterDiscount(price, taxRate, discount) {\n  return price * (1 + taxRate) - discount;  // tax on pre-discount price\n}",
+      "fix_pattern": "function totalAfterDiscount(price, taxRate, discount) {\n  return (price - discount) * (1 + taxRate);  // discount first, then tax\n}",
+      "detection_hints": ["price arithmetic with float", "discount applied after tax"]
+    },
+    {
+      "cwe": "CWE-617",
+      "name": "Reachable Assertion",
+      "category": "logic",
+      "severity": "low",
+      "cause": "assert used as runtime check; stripped in -O / disabled in prod builds.",
+      "languages": ["python", "go"],
+      "vulnerable_pattern": "def transfer(amount):\n    assert amount > 0\n    book(amount)",
+      "fix_pattern": "def transfer(amount):\n    if amount <= 0:\n        raise ValueError('amount must be positive')\n    book(amount)",
+      "detection_hints": ["assert as validation in Python", "panic in Go on user input"]
+    },
+    {
+      "cwe": "CWE-401",
+      "name": "Resource Leak (missing close)",
+      "category": "resource",
+      "severity": "medium",
+      "cause": "File / DB / socket opened without `with` / `defer Close()` / `try-finally`.",
+      "languages": ["python", "go", "javascript", "typescript"],
+      "vulnerable_pattern": "def read_config(p):\n    f = open(p)\n    data = f.read()\n    return data",
+      "fix_pattern": "def read_config(p):\n    with open(p) as f:\n        return f.read()",
+      "detection_hints": ["open() without with", "missing defer Close()", "no try/finally around resource"]
+    },
+    {
+      "cwe": "CWE-770",
+      "name": "Allocation Without Limits",
+      "category": "resource",
+      "severity": "medium",
+      "cause": "Server allocates response/list/buffer proportional to user input with no upper bound.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "app.post('/echo', (req, res) => {\n  const out = req.body.text.repeat(req.body.n);  // attacker sets n = 1e9\n  res.send(out);\n});",
+      "fix_pattern": "app.post('/echo', (req, res) => {\n  const n = Math.min(1000, Number(req.body.n) || 0);\n  res.send(String(req.body.text).repeat(n));\n});",
+      "detection_hints": ["user-controlled multiplier", "Array(n) with n from request"]
+    },
+    {
+      "cwe": "CWE-400",
+      "name": "Uncontrolled Resource Consumption (DoS)",
+      "category": "resource",
+      "severity": "medium",
+      "cause": "Regex with catastrophic backtracking, JSON.parse on huge input, fork-bomb-like loop.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "const RE = /^(a+)+$/;\nfunction check(s) { return RE.test(s); }",
+      "fix_pattern": "// Use an atomic / linear-time regex (re2 / RE2) or an explicit parser.\nimport RE2 from 're2';\nconst RE = new RE2('^a+$');",
+      "detection_hints": ["nested quantifiers in regex", "no body-size limit", "loop bound = user input"]
+    },
+    {
+      "cwe": "CWE-362",
+      "name": "Race Condition (TOCTOU)",
+      "category": "concurrency",
+      "severity": "medium",
+      "cause": "Check-then-act on shared state without a lock / transaction; another caller sneaks in.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "async def place_order(product_id, qty):\n    inv = await db.get_inventory(product_id)\n    if inv.qty >= qty:\n        await db.set_inventory(product_id, inv.qty - qty)\n        await db.create_order(product_id, qty)",
+      "fix_pattern": "async def place_order(product_id, qty):\n    async with db.transaction():\n        # atomic UPDATE … WHERE qty >= :qty RETURNING …\n        ok = await db.deduct_if_enough(product_id, qty)\n        if not ok: return {'status': 'out_of_stock'}\n        await db.create_order(product_id, qty)",
+      "detection_hints": ["check then act on shared inventory / counter", "get + set without lock", "exists() then create()"]
+    },
+    {
+      "cwe": "CWE-367",
+      "name": "TOCTOU File Check",
+      "category": "concurrency",
+      "severity": "medium",
+      "cause": "os.path.exists / stat then open — attacker swaps the file in between.",
+      "languages": ["python", "go", "javascript", "typescript"],
+      "vulnerable_pattern": "if os.path.exists(path):\n    with open(path) as f: data = f.read()",
+      "fix_pattern": "try:\n    with open(path) as f: data = f.read()\nexcept FileNotFoundError:\n    data = None",
+      "detection_hints": ["exists() then open()", "stat() then chmod()"]
+    },
+    {
+      "cwe": "CWE-833",
+      "name": "Deadlock",
+      "category": "concurrency",
+      "severity": "high",
+      "cause": "Two locks acquired in different orders by different code paths; both block forever.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "func transfer(a, b *Account, amount int) {\n  a.lock.Lock(); defer a.lock.Unlock()\n  b.lock.Lock(); defer b.lock.Unlock()\n  a.bal -= amount; b.bal += amount\n}",
+      "fix_pattern": "func transfer(a, b *Account, amount int) {\n  // global ordering: always lock the lower-id account first\n  first, second := a, b\n  if a.id > b.id { first, second = b, a }\n  first.lock.Lock(); defer first.lock.Unlock()\n  second.lock.Lock(); defer second.lock.Unlock()\n  a.bal -= amount; b.bal += amount\n}",
+      "detection_hints": ["two mutexes locked without global ordering", "nested locks on different objects"]
+    },
+    {
+      "cwe": "CWE-664",
+      "name": "Improper Control of Resource Through Lifetime",
+      "category": "resource",
+      "severity": "medium",
+      "cause": "Use-after-free / use after .close() / handle invalidated by another caller.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "f = open(path)\nf.close()\ndata = f.read()  # use after close",
+      "fix_pattern": "with open(path) as f:\n    data = f.read()",
+      "detection_hints": ["read after close()", "use after Free()/Destroy()"]
+    },
+    {
+      "cwe": "CWE-1188",
+      "name": "Insecure Default Value",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Field with permissive default (admin, public, off-by-default safety) silently grants access.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "class Settings(BaseModel):\n    debug_endpoint_enabled: bool = True\n    auth_required: bool = False",
+      "fix_pattern": "class Settings(BaseModel):\n    debug_endpoint_enabled: bool = False  # explicit opt-in only\n    auth_required: bool = True",
+      "detection_hints": ["= True default for debug/admin/superuser flag", "= False for auth/security flag"]
+    },
+    {
+      "cwe": "CWE-345",
+      "name": "Insufficient Verification of Data Authenticity",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Webhook / JWT / signed message accepted without verifying signature.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "app.post('/webhook', (req, res) => {\n  process(req.body);\n  res.sendStatus(200);\n});",
+      "fix_pattern": "app.post('/webhook', (req, res) => {\n  const sig = req.header('X-Signature');\n  if (!verifyHmac(req.rawBody, sig, SECRET)) return res.sendStatus(401);\n  process(req.body);\n  res.sendStatus(200);\n});",
+      "detection_hints": ["webhook handler without signature check", "JWT.decode without verify"]
+    },
+    {
+      "cwe": "CWE-384",
+      "name": "Session Fixation",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Session id reused across login; attacker who pre-set it on the victim now has authenticated access.",
+      "languages": ["python", "javascript", "typescript"],
+      "vulnerable_pattern": "@app.post('/login')\ndef login(form):\n    if check_password(form.user, form.password):\n        request.session['user'] = form.user  # session id unchanged\n    return redirect('/')",
+      "fix_pattern": "@app.post('/login')\ndef login(form):\n    if check_password(form.user, form.password):\n        request.session.regenerate()  # NEW session id post-auth\n        request.session['user'] = form.user\n    return redirect('/')",
+      "detection_hints": ["set session[user] without regenerate", "no session_regenerate_id() at login"]
+    },
+    {
+      "cwe": "CWE-1004",
+      "name": "Sensitive Cookie Without HttpOnly",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Session cookie set without HttpOnly; readable from JS → XSS upgrades to session theft.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "res.cookie('sid', sessionId, { secure: true });",
+      "fix_pattern": "res.cookie('sid', sessionId, { httpOnly: true, secure: true, sameSite: 'lax' });",
+      "detection_hints": ["res.cookie( without httpOnly", "set_cookie without HttpOnly"]
+    },
+    {
+      "cwe": "CWE-614",
+      "name": "Sensitive Cookie Without Secure",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Cookie carrying session over HTTP; intercepted on any open network.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "res.cookie('sid', sessionId, { httpOnly: true });",
+      "fix_pattern": "res.cookie('sid', sessionId, { httpOnly: true, secure: true, sameSite: 'lax' });",
+      "detection_hints": ["cookie without secure flag on auth-bearing app"]
+    },
+    {
+      "cwe": "CWE-426",
+      "name": "Untrusted Search Path",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "PATH / module-import path includes a user-writable directory; attacker plants a binary.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "import subprocess\nsubprocess.run(['my-tool', '--help'])  # relies on PATH",
+      "fix_pattern": "import subprocess, shutil\ntool = shutil.which('my-tool')\nif not tool or not tool.startswith('/usr/'): raise RuntimeError('tool not trusted')\nsubprocess.run([tool, '--help'])",
+      "detection_hints": ["bare exec() relying on PATH", "import from cwd-relative path"]
+    },
+    {
+      "cwe": "CWE-732",
+      "name": "Incorrect Permission Assignment",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "File created world-writable / world-readable when it holds secrets.",
+      "languages": ["python", "go", "javascript", "typescript"],
+      "vulnerable_pattern": "with open('.secrets', 'w') as f:\n    f.write(token)",
+      "fix_pattern": "import os\nfd = os.open('.secrets', os.O_WRONLY | os.O_CREAT | os.O_TRUNC, 0o600)\nwith os.fdopen(fd, 'w') as f:\n    f.write(token)",
+      "detection_hints": ["mode 0o644/0o666/0o777 for secret file", "no umask"]
+    },
+    {
+      "cwe": "CWE-922",
+      "name": "Insecure Storage of Sensitive Information",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Secrets stored plaintext in localStorage / sqlite / files; recoverable post-breach.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "localStorage.setItem('token', token);",
+      "fix_pattern": "// Tokens belong in HttpOnly+Secure cookies, NOT in localStorage (XSS-reachable).\nres.cookie('sid', sessionId, { httpOnly: true, secure: true, sameSite: 'lax' });",
+      "detection_hints": ["localStorage.setItem with token/password", "plaintext secret in sqlite/json"]
+    },
+    {
+      "cwe": "CWE-704",
+      "name": "Incorrect Type Conversion",
+      "category": "logic",
+      "severity": "low",
+      "cause": "parseInt('1.5') == 1; '5'+'5' = '55'; user_id == '0' truthy in some langs.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "function total(items) {\n  let s = 0;\n  for (const x of items) s = s + x.price;  // strings concatenate!\n  return s;\n}",
+      "fix_pattern": "function total(items) {\n  let s = 0;\n  for (const x of items) s += Number(x.price);\n  return s;\n}",
+      "detection_hints": ["+ on string|number union", "loose == on heterogeneous types"]
+    },
+    {
+      "cwe": "CWE-471",
+      "name": "Modification of Assumed Immutable Data",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Caller mutates an argument; second caller sees the mutated value.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "DEFAULTS = {'limit': 10}\n\ndef configure(overrides=DEFAULTS):\n    overrides['limit'] += 1  # mutates the module-level dict!\n    return overrides",
+      "fix_pattern": "DEFAULTS = {'limit': 10}\n\ndef configure(overrides=None):\n    cfg = {**DEFAULTS, **(overrides or {})}\n    cfg['limit'] += 1\n    return cfg",
+      "detection_hints": ["mutable default arg", "in-place modify of caller's arg"]
+    },
+    {
+      "cwe": "CWE-209c",
+      "name": "Verbose Error in Response Body",
+      "category": "api_misuse",
+      "severity": "low",
+      "cause": "App returns `{stack, query, env}` on 500 — useful for attacker recon.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "app.use((err, req, res, _next) => {\n  res.status(500).json({ error: err.message, stack: err.stack, env: process.env });\n});",
+      "fix_pattern": "app.use((err, req, res, _next) => {\n  log.error(err);\n  res.status(500).json({ error: 'internal' });\n});",
+      "detection_hints": ["process.env in response", "err.stack in response"]
+    },
+    {
+      "cwe": "CWE-913",
+      "name": "Improper Control of Dynamically-Managed Code Resources",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "require()/import()/dlopen() target from user input.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "const mod = require(req.body.plugin);  // user-chosen module",
+      "fix_pattern": "const ALLOWED = new Set(['stripe', 'paypal']);\nif (!ALLOWED.has(req.body.plugin)) throw new Error('unknown plugin');\nconst mod = require(req.body.plugin);",
+      "detection_hints": ["require(user_input)", "import(user_string)", "__import__(user_input)"]
+    },
+    {
+      "cwe": "CWE-1336",
+      "name": "Improper Neutralization of Special Elements Used in a Template Engine",
+      "category": "api_misuse",
+      "severity": "critical",
+      "cause": "User input rendered as Jinja2 / Handlebars / template source instead of as value.",
+      "languages": ["python", "javascript", "typescript"],
+      "vulnerable_pattern": "from jinja2 import Template\nt = Template('Hello ' + user_message)  # user controls template!\nreturn t.render()",
+      "fix_pattern": "from jinja2 import Template\nt = Template('Hello {{ msg }}')  # template is fixed\nreturn t.render(msg=user_message)",
+      "detection_hints": ["Template(string+user_input)", "render_template_string( with user data in template"]
+    },
+    {
+      "cwe": "CWE-915b",
+      "name": "Trust Boundary Violation",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Trusted-side variable populated from untrusted source without re-validation.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "session['user_id'] = request.json['user_id']  # trusts client",
+      "fix_pattern": "session['user_id'] = authenticate_request(request).id  # derived server-side",
+      "detection_hints": ["session[…] = request.body[…]", "auth fields set from client payload"]
+    },
+    {
+      "cwe": "CWE-1284",
+      "name": "Improper Validation of Specified Quantity in Input",
+      "category": "logic",
+      "severity": "medium",
+      "cause": "Count / size / limit from user not bounded; loops over it.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "for i in range(int(request.args['n'])):\n    do_work()",
+      "fix_pattern": "n = max(1, min(1000, int(request.args.get('n', 1))))\nfor i in range(n):\n    do_work()",
+      "detection_hints": ["range(int(user_input))", "for i := 0; i < n; i++ where n from request"]
+    },
+    {
+      "cwe": "CWE-201",
+      "name": "Insertion of Sensitive Information Into Sent Data",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "Response includes internal IDs/email of OTHER users (e.g. listing endpoint without filtering).",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "@app.get('/users')\ndef list_users():\n    return [u.dict() for u in db.users.all()]  # leaks everyone's email + hash",
+      "fix_pattern": "@app.get('/users')\ndef list_users(user=Depends(current_user)):\n    return [{'id': u.id, 'name': u.name} for u in db.users.public()]",
+      "detection_hints": ["public listing of full user records", "no role-based filtering"]
+    },
+    {
+      "cwe": "CWE-1395",
+      "name": "Dependency on Vulnerable Component (transitive)",
+      "category": "api_misuse",
+      "severity": "medium",
+      "cause": "package.json / requirements.txt pins a version known to have an active CVE.",
+      "languages": ["javascript", "typescript", "python"],
+      "vulnerable_pattern": "\"lodash\": \"4.17.20\"",
+      "fix_pattern": "\"lodash\": \"^4.17.21\"  // CVE-2021-23337 fix",
+      "detection_hints": ["pinning to a known-CVE version", "yarn.lock with known-vuln entry"]
+    },
+    {
+      "cwe": "CWE-915c",
+      "name": "Prototype Pollution (JS)",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Deep-merge of user object into Object.prototype lets attacker set global props on all objects.",
+      "languages": ["javascript", "typescript"],
+      "vulnerable_pattern": "function merge(t, s) {\n  for (const k in s) t[k] = (typeof s[k]==='object') ? merge(t[k]||{}, s[k]) : s[k];\n  return t;\n}\nmerge({}, JSON.parse(req.body));",
+      "fix_pattern": "function safeAssign(t, s) {\n  for (const k of Object.keys(s)) {\n    if (k === '__proto__' || k === 'constructor' || k === 'prototype') continue;\n    t[k] = s[k];\n  }\n  return t;\n}",
+      "detection_hints": ["deep merge of user JSON", "for…in without hasOwnProperty filter"]
+    },
+    {
+      "cwe": "CWE-444",
+      "name": "HTTP Request Smuggling",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "Conflicting Content-Length / Transfer-Encoding headers from a proxy → desync with backend.",
+      "languages": ["javascript", "typescript", "python", "go"],
+      "vulnerable_pattern": "// custom HTTP parser that trusts both CL and TE",
+      "fix_pattern": "// Use a well-maintained HTTP server (nginx/node-http2) that rejects ambiguous framing.",
+      "detection_hints": ["raw HTTP parsing", "trusting both Content-Length and Transfer-Encoding"]
+    },
+    {
+      "cwe": "CWE-732b",
+      "name": "Path-controlled chown/chmod",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "chmod / chown called on a user-controlled path; victim's files acquire attacker permissions.",
+      "languages": ["python", "go"],
+      "vulnerable_pattern": "os.chmod(request.form['path'], 0o777)",
+      "fix_pattern": "# Refuse path traversal first; whitelist parents.\n# Then derive the path from server-side data, not user input.",
+      "detection_hints": ["chmod/chown with user path", "no containment check"]
+    },
+    {
+      "cwe": "CWE-787",
+      "name": "Out-of-Bounds Write",
+      "category": "resource",
+      "severity": "critical",
+      "cause": "Buffer indexed with user-controlled offset without bounds check; mostly C/C++ but also Buffer in Node.",
+      "languages": ["javascript", "typescript"],
+      "vulnerable_pattern": "const buf = Buffer.alloc(16);\nbuf.writeUInt32LE(value, offset);  // offset from request",
+      "fix_pattern": "const buf = Buffer.alloc(16);\nconst off = Number.isInteger(offset) && offset >= 0 && offset <= 12 ? offset : 0;\nbuf.writeUInt32LE(value, off);",
+      "detection_hints": ["Buffer write with user offset", "no bound check on index"]
+    },
+    {
+      "cwe": "CWE-1295",
+      "name": "Debug Endpoint Exposed in Production",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "/debug, /metrics, /admin reachable without auth or behind weak token.",
+      "languages": ["python", "javascript", "typescript", "go"],
+      "vulnerable_pattern": "@app.get('/debug/db')\ndef db_dump():\n    return db.dump()",
+      "fix_pattern": "@app.get('/debug/db')\ndef db_dump(user=Depends(require_admin)):\n    if not settings.DEBUG_ENDPOINTS_ENABLED: raise HTTPException(404)\n    return db.dump()",
+      "detection_hints": ["/debug/, /admin/ without auth", "DEBUG=True route"]
+    },
+    {
+      "cwe": "CWE-829",
+      "name": "Inclusion of Functionality from Untrusted Source",
+      "category": "api_misuse",
+      "severity": "high",
+      "cause": "<script src> / import URL from a third party with no SRI / pinning.",
+      "languages": ["javascript", "typescript"],
+      "vulnerable_pattern": "<script src=\"https://cdn.example.com/lib.js\"></script>",
+      "fix_pattern": "<script src=\"https://cdn.example.com/lib.js\" integrity=\"sha384-...\" crossorigin=\"anonymous\"></script>",
+      "detection_hints": ["<script src> without SRI", "fetch dynamic JS from untrusted CDN"]
+    }
+  ]
+}