ferret-scan 2.1.1 → 2.2.0

package/dist/utils/safeRegex.d.ts

@@ -0,0 +1,94 @@
+/**
+ * Safe regex runtime utilities with bounded runtime and match limits
+ *
+ * Prevents ReDoS attacks and runaway regex matching in user-controlled patterns.
+ */
+export interface BoundedOptions {
+    /** Maximum runtime in milliseconds (default: 1000) */
+    maxMs?: number;
+    /** Maximum number of matches to collect (default: 500) */
+    maxMatches?: number;
+}
+export interface BoundedResult {
+    /** Array of captured matches */
+    matches: RegExpExecArray[];
+    /** Whether runtime was truncated due to time/count limits */
+    truncated: boolean;
+}
+/**
+ * Compile a pattern string into a RegExp, rejecting obviously dangerous patterns.
+ *
+ * This function screens for common ReDoS patterns and syntax errors before
+ * compilation, returning null for unsafe inputs.
+ *
+ * @param raw The raw pattern string
+ * @param flags Regex flags (default: 'gi')
+ * @returns Compiled RegExp or null if pattern is unsafe
+ *
+ * @example
+ * ```typescript
+ * const safe = compileSafePattern('test\\d+');   // OK
+ * const unsafe = compileSafePattern('(a+)+b');   // null - ReDoS risk
+ * const invalid = compileSafePattern('[unclosed'); // null - syntax error
+ * ```
+ */
+export declare function compileSafePattern(raw: string, flags?: string): RegExp | null;
+/**
+ * Run a regex against content with bounded runtime and match limits.
+ *
+ * This function wraps RegExp for each step with timeout and match count protection
+ * to prevent runaway regex operations from hanging the application.
+ *
+ * @param pattern The compiled RegExp to run
+ * @param content The content to search
+ * @param options Runtime limits
+ * @returns Result containing matches and truncation status
+ *
+ * @example
+ * ```typescript
+ * const pattern = /test\d+/g;
+ * const { matches, truncated } = runBounded(pattern, content, { maxMs: 500 });
+ * if (truncated) {
+ *   console.warn('Regex operation was truncated');
+ * }
+ * ```
+ */
+export declare function runBounded(pattern: RegExp, content: string, options?: BoundedOptions): BoundedResult;
+/**
+ * Safe pattern matching that combines compilation and bounded runtime.
+ *
+ * This is a convenience wrapper that safely compiles a pattern and runs
+ * it with bounds, handling both compilation failures and runtime limits.
+ *
+ * @param rawPattern The raw pattern string
+ * @param content The content to search
+ * @param flags Regex flags (default: 'gi')
+ * @param options Runtime limits
+ * @returns Match result or null if pattern is unsafe
+ *
+ * @example
+ * ```typescript
+ * const result = safeMatch('test\\d+', content);
+ * if (result === null) {
+ *   console.warn('Unsafe or invalid pattern');
+ * } else if (result.truncated) {
+ *   console.warn('Pattern operation was bounded');
+ * } else {
+ *   console.log(`Found ${result.matches.length} matches`);
+ * }
+ * ```
+ */
+export declare function safeMatch(rawPattern: string, content: string, flags?: string, options?: BoundedOptions): BoundedResult | null;
+/**
+ * Test if a pattern matches content safely, returning boolean result.
+ *
+ * This is equivalent to RegExp.test() but with safety checks and bounds.
+ * Returns false for unsafe patterns or bounded operations.
+ *
+ * @param rawPattern The raw pattern string
+ * @param content The content to test
+ * @param flags Regex flags (default: 'i')
+ * @returns True if pattern matches safely, false otherwise
+ */
+export declare function safeTest(rawPattern: string, content: string, flags?: string): boolean;
+//# sourceMappingURL=safeRegex.d.ts.map

package/dist/utils/safeRegex.js

@@ -0,0 +1,147 @@
+/**
+ * Safe regex runtime utilities with bounded runtime and match limits
+ *
+ * Prevents ReDoS attacks and runaway regex matching in user-controlled patterns.
+ */
+/**
+ * Compile a pattern string into a RegExp, rejecting obviously dangerous patterns.
+ *
+ * This function screens for common ReDoS patterns and syntax errors before
+ * compilation, returning null for unsafe inputs.
+ *
+ * @param raw The raw pattern string
+ * @param flags Regex flags (default: 'gi')
+ * @returns Compiled RegExp or null if pattern is unsafe
+ *
+ * @example
+ * ```typescript
+ * const safe = compileSafePattern('test\\d+');   // OK
+ * const unsafe = compileSafePattern('(a+)+b');   // null - ReDoS risk
+ * const invalid = compileSafePattern('[unclosed'); // null - syntax error
+ * ```
+ */
+export function compileSafePattern(raw, flags = 'gi') {
+    // Screen for obvious ReDoS triggers.
+    // We only block patterns where the quantifier structure can cause exponential
+    // backtracking — simple multi-alternative strings like (foo|bar|baz) are safe.
+    const redosPatterns = [
+        /(\?\+)/, // Possessive quantifier abuse: a+?+
+        /(\+\+)/, // Double plus: a++
+        /(\*\*)/, // Double star: a**
+        /(\(.*\+\)\+)/, // Nested quantifiers: (a+)+
+        /(\(.*\*\)\*)/, // Nested quantifiers: (a*)*
+        /(\(.*\+\)\{)/, // Quantified groups: (a+){2,}
+        /(\(.*\|.*\)\+)/, // Alternation inside quantified group: (a|b)+
+        /(\(.*\|.*\)\*)/, // Alternation inside quantified group: (a|b)*
+        /(\(.*\|.*\)\{)/, // Alternation inside bounded group: (a|b){2,}
+    ];
+    for (const redos of redosPatterns) {
+        if (redos.test(raw)) {
+            return null;
+        }
+    }
+    // Attempt compilation
+    try {
+        return new RegExp(raw, flags);
+    }
+    catch {
+        // Invalid syntax
+        return null;
+    }
+}
+/**
+ * Run a regex against content with bounded runtime and match limits.
+ *
+ * This function wraps RegExp for each step with timeout and match count protection
+ * to prevent runaway regex operations from hanging the application.
+ *
+ * @param pattern The compiled RegExp to run
+ * @param content The content to search
+ * @param options Runtime limits
+ * @returns Result containing matches and truncation status
+ *
+ * @example
+ * ```typescript
+ * const pattern = /test\d+/g;
+ * const { matches, truncated } = runBounded(pattern, content, { maxMs: 500 });
+ * if (truncated) {
+ *   console.warn('Regex operation was truncated');
+ * }
+ * ```
+ */
+export function runBounded(pattern, content, options = {}) {
+    const maxMs = options.maxMs ?? 1000;
+    const maxMatches = options.maxMatches ?? 500;
+    const deadline = Date.now() + maxMs;
+    const matches = [];
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+        // Check time limit
+        if (Date.now() > deadline) {
+            return { matches, truncated: true };
+        }
+        // Check match count limit
+        if (matches.length >= maxMatches) {
+            return { matches, truncated: true };
+        }
+        matches.push(match);
+        // For non-global patterns, break after first match to avoid infinite loop
+        if (!pattern.global) {
+            break;
+        }
+        // Prevent infinite loop on zero-length matches for global patterns
+        if (match[0].length === 0) {
+            pattern.lastIndex++;
+        }
+    }
+    return { matches, truncated: false };
+}
+/**
+ * Safe pattern matching that combines compilation and bounded runtime.
+ *
+ * This is a convenience wrapper that safely compiles a pattern and runs
+ * it with bounds, handling both compilation failures and runtime limits.
+ *
+ * @param rawPattern The raw pattern string
+ * @param content The content to search
+ * @param flags Regex flags (default: 'gi')
+ * @param options Runtime limits
+ * @returns Match result or null if pattern is unsafe
+ *
+ * @example
+ * ```typescript
+ * const result = safeMatch('test\\d+', content);
+ * if (result === null) {
+ *   console.warn('Unsafe or invalid pattern');
+ * } else if (result.truncated) {
+ *   console.warn('Pattern operation was bounded');
+ * } else {
+ *   console.log(`Found ${result.matches.length} matches`);
+ * }
+ * ```
+ */
+export function safeMatch(rawPattern, content, flags = 'gi', options = {}) {
+    const pattern = compileSafePattern(rawPattern, flags);
+    if (pattern === null) {
+        return null;
+    }
+    return runBounded(pattern, content, options);
+}
+/**
+ * Test if a pattern matches content safely, returning boolean result.
+ *
+ * This is equivalent to RegExp.test() but with safety checks and bounds.
+ * Returns false for unsafe patterns or bounded operations.
+ *
+ * @param rawPattern The raw pattern string
+ * @param content The content to test
+ * @param flags Regex flags (default: 'i')
+ * @returns True if pattern matches safely, false otherwise
+ */
+export function safeTest(rawPattern, content, flags = 'i') {
+    // For test, we want to check if there's ANY match, so use non-global flags
+    const testFlags = flags.replace(/g/g, ''); // Remove global flag for test behavior
+    const result = safeMatch(rawPattern, content, testFlags, { maxMatches: 1 });
+    return result !== null && result.matches.length > 0 && !result.truncated;
+}
+//# sourceMappingURL=safeRegex.js.map

package/dist/utils/schemas.d.ts

@@ -1071,6 +1071,10 @@ export declare function safeParseJSON<T>(content: string, schema: z.ZodType<T>,
  * Useful when you already have a parsed object
  */
 export declare function validateSchema<T>(data: unknown, schema: z.ZodType<T>): ParseResult<T>;
+/** Validates a comma-separated severity string parsed from the CLI. */
+export declare const SeverityValueSchema: z.ZodEnum<["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"]>;
+/** Validates a comma-separated category string parsed from the CLI. */
+export declare const ThreatCategoryValueSchema: z.ZodEnum<["exfiltration", "credentials", "injection", "backdoors", "supply-chain", "permissions", "persistence", "obfuscation", "ai-specific", "advanced-hiding", "behavioral"]>;
 declare const _default: {
     ThreatIndicatorSchema: z.ZodObject<{
         value: z.ZodString;
@@ -2104,6 +2108,8 @@ declare const _default: {
         description?: string | undefined;
         checksum?: string | undefined;
     }>;
+    SeverityValueSchema: z.ZodEnum<["CRITICAL", "HIGH", "MEDIUM", "LOW", "INFO"]>;
+    ThreatCategoryValueSchema: z.ZodEnum<["exfiltration", "credentials", "injection", "backdoors", "supply-chain", "permissions", "persistence", "obfuscation", "ai-specific", "advanced-hiding", "behavioral"]>;
     safeParseJSON: typeof safeParseJSON;
     validateSchema: typeof validateSchema;
 };

package/dist/utils/schemas.js

@@ -235,6 +235,17 @@ export function validateSchema(data, schema) {
         };
     }
 }
+// ============================================
+// CLI-parsed value schemas
+// ============================================
+/** Validates a comma-separated severity string parsed from the CLI. */
+export const SeverityValueSchema = z.enum(['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO']);
+/** Validates a comma-separated category string parsed from the CLI. */
+export const ThreatCategoryValueSchema = z.enum([
+    'exfiltration', 'credentials', 'injection', 'backdoors',
+    'supply-chain', 'permissions', 'persistence', 'obfuscation',
+    'ai-specific', 'advanced-hiding', 'behavioral',
+]);
 export default {
     ThreatIndicatorSchema,
     ThreatSourceSchema,
@@ -244,6 +255,8 @@ export default {
     ConfigFileSchema,
     BaselineFindingSchema,
     BaselineSchema,
+    SeverityValueSchema,
+    ThreatCategoryValueSchema,
     safeParseJSON,
     validateSchema,
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ferret-scan",
-  "version": "2.1.1",
+  "version": "2.2.0",
   "description": "Comprehensive AI Agent Security Platform - scan, monitor, and secure AI CLI configurations with IDE integrations, behavior analysis, and compliance frameworks",
   "type": "module",
   "main": "dist/index.js",
@@ -25,9 +25,15 @@
     "lint": "eslint src",
     "lint:fix": "eslint src --fix",
     "prepare": "npm run build",
-    "prepublishOnly": "npm run build && npm run test && npm run lint",
+    "schema:generate": "node scripts/generate-json-schema.mjs",
+    "schema:check": "node scripts/generate-json-schema.mjs --check",
+    "prepublishOnly": "npm run build && npm run schema:generate && npm run test && npm run lint",
     "scan": "node bin/ferret.js scan",
-    "check:resources": "node -e \"console.log('RAM:', Math.round(process.memoryUsage().heapUsed / 1024 / 1024) + 'MB')\""
+    "check:resources": "node -e \"console.log('RAM:', Math.round(process.memoryUsage().heapUsed / 1024 / 1024) + 'MB')\"",
+    "bench": "npm run build && node scripts/bench.mjs",
+    "bench:json": "npm run build && node scripts/bench.mjs --json",
+    "bench:compare": "node scripts/bench-compare.mjs",
+    "docs:api": "typedoc"
   },
   "keywords": [
     "ai-cli",
@@ -120,15 +126,18 @@
     }
   },
   "devDependencies": {
+    "@babel/preset-env": "^7.29.2",
     "@eslint/js": "^9.26.0",
     "@types/jest": "^29.5.11",
     "@types/node": "^20.11.0",
     "@typescript-eslint/eslint-plugin": "^8.54.0",
     "@typescript-eslint/parser": "^8.54.0",
+    "babel-jest": "^30.3.0",
     "eslint": "^9.26.0",
     "jest": "^29.7.0",
     "ts-jest": "^29.1.1",
     "typescript": "^5.0.0",
-    "typescript-eslint": "^8.54.0"
+    "typescript-eslint": "^8.54.0",
+    "zod-to-json-schema": "^3.23.0"
   }
 }