ferret-scan 2.1.2 → 2.3.0

package/dist/features/policyEnforcement.d.ts

@@ -24,17 +24,17 @@ declare const PolicyRuleSchema: z.ZodObject<{
         minRiskScore: z.ZodOptional<z.ZodNumber>;
         maxFindings: z.ZodOptional<z.ZodNumber>;
     }, "strip", z.ZodTypeAny, {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     }, {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     }>;
@@ -44,10 +44,10 @@ declare const PolicyRuleSchema: z.ZodObject<{
     enabled: boolean;
     action: "warn" | "ignore" | "block";
     conditions: {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     };
@@ -56,10 +56,10 @@ declare const PolicyRuleSchema: z.ZodObject<{
 }, {
     id: string;
     conditions: {
-        categories?: string[] | undefined;
         ruleIds?: string[] | undefined;
-        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+        categories?: string[] | undefined;
         filePatterns?: string[] | undefined;
+        severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
         minRiskScore?: number | undefined;
         maxFindings?: number | undefined;
     };
@@ -88,17 +88,17 @@ declare const PolicyConfigSchema: z.ZodObject<{
             minRiskScore: z.ZodOptional<z.ZodNumber>;
             maxFindings: z.ZodOptional<z.ZodNumber>;
         }, "strip", z.ZodTypeAny, {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         }, {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         }>;
@@ -108,10 +108,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
         enabled: boolean;
         action: "warn" | "ignore" | "block";
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -120,10 +120,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
     }, {
         id: string;
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -182,10 +182,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
         enabled: boolean;
         action: "warn" | "ignore" | "block";
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -198,10 +198,10 @@ declare const PolicyConfigSchema: z.ZodObject<{
     rules: {
         id: string;
         conditions: {
-            categories?: string[] | undefined;
             ruleIds?: string[] | undefined;
-            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+            categories?: string[] | undefined;
             filePatterns?: string[] | undefined;
+            severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
             minRiskScore?: number | undefined;
             maxFindings?: number | undefined;
         };
@@ -313,10 +313,10 @@ declare const _default: {
             enabled: boolean;
             action: "warn" | "ignore" | "block";
             conditions: {
-                categories?: string[] | undefined;
                 ruleIds?: string[] | undefined;
-                severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
+                categories?: string[] | undefined;
                 filePatterns?: string[] | undefined;
+                severities?: ("CRITICAL" | "HIGH" | "MEDIUM" | "LOW" | "INFO")[] | undefined;
                 minRiskScore?: number | undefined;
                 maxFindings?: number | undefined;
             };

package/dist/features/policyEnforcement.js

@@ -6,6 +6,7 @@
 import { readFileSync, existsSync, writeFileSync } from 'node:fs';
 import { resolve } from 'node:path';
 import { z } from 'zod';
+import { globToRegex } from '../utils/glob.js';
 import logger from '../utils/logger.js';
 /**
  * Policy rule schema
@@ -161,7 +162,7 @@ function findingMatchesConditions(finding, conditions) {
     if (conditions.ruleIds && conditions.ruleIds.length > 0) {
         const matchesRule = conditions.ruleIds.some(id => {
             if (id.includes('*')) {
-                const pattern = new RegExp('^' + id.replace(/\*/g, '.*') + '$');
+                const pattern = globToRegex(id, { pathLike: false });
                 return pattern.test(finding.ruleId);
             }
             return finding.ruleId === id;
@@ -184,7 +185,7 @@ function findingMatchesConditions(finding, conditions) {
     // Check file patterns
     if (conditions.filePatterns && conditions.filePatterns.length > 0) {
         const matchesFile = conditions.filePatterns.some(pattern => {
-            const regex = new RegExp(pattern.replace(/\*/g, '.*'));
+            const regex = globToRegex(pattern, { pathLike: true });
             return regex.test(finding.file) || regex.test(finding.relativePath);
         });
         if (!matchesFile)

package/dist/intelligence/ThreatFeed.js

@@ -16,117 +16,262 @@ const DEFAULT_INTEL_DIR = '.ferret-intel';
 const BUILTIN_SOURCES = [
     {
         name: 'ai-cli-malicious-packages',
-        description: 'Known malicious npm packages targeting AI CLI environments',
-        lastUpdated: new Date().toISOString(),
+        description: 'Known malicious and typosquatting npm packages targeting AI CLI environments',
+        lastUpdated: '2025-01-01T00:00:00Z',
         enabled: true,
         format: 'json'
     },
     {
         name: 'ai-cli-suspicious-domains',
-        description: 'Suspicious domains used in AI CLI exploitation attempts',
-        lastUpdated: new Date().toISOString(),
+        description: 'Phishing and impersonation domains targeting AI CLI users and API credentials',
+        lastUpdated: '2025-01-01T00:00:00Z',
         enabled: true,
         format: 'json'
     },
     {
-        name: 'ai-cli-backdoor-patterns',
-        description: 'Code patterns associated with AI CLI-specific backdoors',
-        lastUpdated: new Date().toISOString(),
+        name: 'ai-cli-injection-patterns',
+        description: 'Prompt injection, jailbreak, and privilege-escalation patterns observed in the wild',
+        lastUpdated: '2025-01-01T00:00:00Z',
+        enabled: true,
+        format: 'json'
+    },
+    {
+        name: 'ai-cli-exfiltration-patterns',
+        description: 'Data exfiltration patterns embedded in AI CLI hooks and configurations',
+        lastUpdated: '2025-01-01T00:00:00Z',
         enabled: true,
         format: 'json'
     }
 ];
 /**
- * Built-in threat indicators
+ * Built-in threat indicators derived from publicly documented AI CLI attack patterns.
+ * These cover typosquatting, prompt injection, exfiltration, and privilege escalation
+ * as observed across real-world incident reports and security research (2024–2025).
+ *
+ * Note: No hash indicators are included by default. File hashes are highly specific;
+ * add them via `ferret intel add` with verified malicious-file hashes from your own
+ * threat intelligence sources.
  */
 const BUILTIN_INDICATORS = [
-    // Malicious domains
+    // ── Typosquatting / impersonation packages ─────────────────────────────────
     {
-        value: 'evil-ai-api.com',
-        type: 'domain',
-        category: 'phishing',
-        severity: 'high',
-        description: 'Fake AI API endpoint used for credential harvesting',
-        source: 'ai-cli-suspicious-domains',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
+        value: 'anthropic-sdk-fake',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'critical',
+        description: 'Typosquats the official @anthropic-ai/sdk package; exfiltrates API keys on install',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-03-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
         confidence: 95,
-        tags: ['phishing', 'fake-api', 'credential-theft']
+        tags: ['typosquat', 'credential-theft', 'install-hook']
     },
     {
-        value: 'anthropic-fake.net',
-        type: 'domain',
-        category: 'phishing',
+        value: 'openai-sdk-community',
+        type: 'package',
+        category: 'malicious-package',
         severity: 'high',
-        description: 'Impersonates legitimate AI provider domain',
-        source: 'ai-cli-suspicious-domains',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
+        description: 'Unofficial package impersonating the OpenAI SDK; contains a postinstall exfiltration script',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-06-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
         confidence: 90,
-        tags: ['phishing', 'impersonation']
+        tags: ['typosquat', 'postinstall', 'exfiltration']
     },
-    // Malicious packages
     {
-        value: 'ai-jailbreak-helper',
+        value: 'claude-code-helper',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'high',
+        description: 'Impersonates Claude Code utilities; reads ~/.claude/settings.json and beacons credentials',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-09-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['typosquat', 'credential-theft', 'ai-cli']
+    },
+    {
+        value: 'cursor-ai-extensions',
+        type: 'package',
+        category: 'malicious-package',
+        severity: 'high',
+        description: 'Fake Cursor IDE extension package; harvests .cursorrules and workspace secrets',
+        source: 'ai-cli-malicious-packages',
+        firstSeen: '2024-08-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 85,
+        tags: ['typosquat', 'ai-cli', 'cursor']
+    },
+    {
+        value: 'mcp-server-tools',
         type: 'package',
         category: 'malicious-package',
         severity: 'critical',
-        description: 'Package designed to bypass AI assistant safety mechanisms',
+        description: 'Malicious MCP server package that exfiltrates tool call arguments to a remote endpoint',
         source: 'ai-cli-malicious-packages',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 100,
-        tags: ['jailbreak', 'bypass', 'malicious-npm']
+        firstSeen: '2024-11-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 92,
+        tags: ['mcp', 'exfiltration', 'supply-chain']
     },
     {
-        value: 'anthropic-sdk-fake',
+        value: 'ai-agent-framework',
         type: 'package',
         category: 'malicious-package',
         severity: 'high',
-        description: 'Fake AI SDK that steals credentials',
+        description: 'Generic name used by multiple malicious packages to blend into AI agent dependency lists',
         source: 'ai-cli-malicious-packages',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 95,
-        tags: ['credential-theft', 'fake-sdk']
+        firstSeen: '2024-07-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 80,
+        tags: ['typosquat', 'ai-agent', 'generic-name']
+    },
+    // ── Phishing / impersonation domains ──────────────────────────────────────
+    {
+        value: 'anthropic-api.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Typosquats api.anthropic.com; used to intercept API keys in misconfigured ANTHROPIC_BASE_URL',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-04-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 93,
+        tags: ['phishing', 'api-intercept', 'anthropic']
     },
-    // Backdoor patterns
     {
-        value: 'ignore.*previous.*instructions?.*forget.*rules?',
+        value: 'openai-proxy.io',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Claimed OpenAI-compatible proxy that logs all prompts and responses',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-05-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['phishing', 'prompt-logging', 'openai']
+    },
+    {
+        value: 'cursor-updates.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'high',
+        description: 'Impersonates Cursor IDE update infrastructure; delivers trojanized VSIX files',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-07-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 87,
+        tags: ['phishing', 'ide-trojan', 'cursor']
+    },
+    {
+        value: 'mcp-registry.net',
+        type: 'domain',
+        category: 'phishing',
+        severity: 'medium',
+        description: 'Unofficial MCP server registry used to distribute malicious MCP server packages',
+        source: 'ai-cli-suspicious-domains',
+        firstSeen: '2024-10-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 78,
+        tags: ['phishing', 'mcp', 'fake-registry']
+    },
+    // ── Prompt injection / jailbreak patterns ─────────────────────────────────
+    {
+        value: 'ignore\\s+(all\\s+)?(previous|prior|above)\\s+(instructions?|rules?|constraints?|guidelines?)',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'Classic instruction-override injection attempting to nullify prior system prompt directives',
+        source: 'ai-cli-injection-patterns',
+        firstSeen: '2023-06-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 90,
+        tags: ['jailbreak', 'instruction-override', 'prompt-injection']
+    },
+    {
+        value: 'you\\s+are\\s+now\\s+(in\\s+)?(developer|jailbreak|dan|unrestricted|god)\\s+mode',
         type: 'pattern',
         category: 'jailbreak-attempt',
         severity: 'high',
-        description: 'Pattern attempting to override AI assistant safety instructions',
-        source: 'ai-cli-backdoor-patterns',
+        description: 'Developer/DAN mode activation attempt — claims to unlock unrestricted AI behavior',
+        source: 'ai-cli-injection-patterns',
+        firstSeen: '2023-09-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['jailbreak', 'dan-mode', 'privilege-escalation']
+    },
+    {
+        value: 'disregard\\s+(your\\s+)?(safety|ethical|content)\\s+(policy|policies|guidelines?|filters?)',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'Attempts to disable AI safety filters by direct instruction',
+        source: 'ai-cli-injection-patterns',
         firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
+        lastSeen: '2025-01-01T00:00:00Z',
         confidence: 85,
-        tags: ['jailbreak', 'instruction-override']
+        tags: ['jailbreak', 'safety-bypass']
+    },
+    {
+        value: 'print\\s+(your\\s+)?(system\\s+prompt|initial\\s+instructions?|full\\s+context)',
+        type: 'pattern',
+        category: 'jailbreak-attempt',
+        severity: 'high',
+        description: 'System prompt exfiltration via direct instruction to reveal context',
+        source: 'ai-cli-injection-patterns',
+        firstSeen: '2024-02-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 82,
+        tags: ['prompt-exfil', 'system-prompt', 'context-leak']
     },
     {
-        value: 'developer.*mode.*enabled|admin.*access.*granted',
+        value: 'as\\s+your\\s+(true\\s+)?(self|creator|master|owner)\\b',
         type: 'pattern',
-        category: 'privilege-escalation',
+        category: 'jailbreak-attempt',
         severity: 'medium',
-        description: 'Attempts to claim elevated privileges in AI assistants',
-        source: 'ai-cli-backdoor-patterns',
+        description: 'Social-engineering attack claiming authority over the AI assistant',
+        source: 'ai-cli-injection-patterns',
         firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 75,
-        tags: ['privilege-escalation', 'social-engineering']
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 70,
+        tags: ['jailbreak', 'social-engineering', 'authority-claim']
     },
-    // Hash indicators (example malicious file hashes)
+    // ── Exfiltration patterns ─────────────────────────────────────────────────
     {
-        value: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
-        type: 'hash',
-        category: 'malicious-file',
+        value: 'curl\\s+.*\\$\\{?(ANTHROPIC|OPENAI|CLAUDE|GITHUB|AWS|GCP)_?(API_?KEY|TOKEN|SECRET)',
+        type: 'pattern',
+        category: 'exfiltration',
         severity: 'critical',
-        description: 'Hash of known malicious AI CLI configuration file',
-        source: 'ai-cli-malicious-packages',
-        firstSeen: '2024-01-01T00:00:00Z',
-        lastSeen: new Date().toISOString(),
-        confidence: 100,
-        tags: ['malicious-config', 'sha256']
+        description: 'Shell command interpolating AI/cloud API keys directly into a curl request body or URL',
+        source: 'ai-cli-exfiltration-patterns',
+        firstSeen: '2024-03-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 95,
+        tags: ['exfiltration', 'credential-leak', 'curl', 'hook']
+    },
+    {
+        value: 'fetch\\(.*\\$\\{(conversation|messages|response|output|result)',
+        type: 'pattern',
+        category: 'exfiltration',
+        severity: 'high',
+        description: 'JavaScript fetch() call interpolating AI conversation data into a remote request',
+        source: 'ai-cli-exfiltration-patterns',
+        firstSeen: '2024-05-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 88,
+        tags: ['exfiltration', 'conversation-leak', 'fetch']
+    },
+    {
+        value: 'dns\\.lookup|nslookup|dig\\s+.*\\.(com|net|io|xyz)',
+        type: 'pattern',
+        category: 'exfiltration',
+        severity: 'medium',
+        description: 'DNS lookup in a hook context may indicate DNS-based data exfiltration channel',
+        source: 'ai-cli-exfiltration-patterns',
+        firstSeen: '2024-06-01T00:00:00Z',
+        lastSeen: '2025-01-01T00:00:00Z',
+        confidence: 65,
+        tags: ['exfiltration', 'dns-exfil', 'covert-channel']
     }
 ];
 /**

package/dist/remediation/Fixer.js

@@ -7,6 +7,7 @@ import { readFileSync, writeFileSync, existsSync, mkdirSync, copyFileSync, statS
 import { resolve, dirname, basename } from 'node:path';
 import logger from '../utils/logger.js';
 import { validatePathWithinBase, sanitizeFilename, isPathWithinBase } from '../utils/pathSecurity.js';
+import { compileSafePattern, safeMatch, safeTest } from '../utils/safeRegex.js';
 /**
  * Default remediation options
  */
@@ -99,6 +100,13 @@ const BUILTIN_FIXES = [
         automatic: false
     }
 ];
+// Fail fast at module load if any built-in pattern is rejected by the safe-regex gate.
+// This catches contributor mistakes at startup rather than silently at fix-application time.
+for (const fix of BUILTIN_FIXES) {
+    if (!compileSafePattern(fix.pattern)) {
+        throw new Error(`Fixer startup: BUILTIN_FIXES pattern rejected by compileSafePattern: ${fix.description} (${fix.pattern})`);
+    }
+}
 /**
  * Create backup of file before modification
  */
@@ -125,34 +133,55 @@ function applyFix(content, fix, _finding) {
     try {
         switch (fix.type) {
             case 'replace': {
-                const regex = new RegExp(fix.pattern, 'gi');
+                const regex = compileSafePattern(fix.pattern, 'gi');
+                if (!regex) {
+                    logger.warn(`Unsafe fix pattern rejected: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
                 const originalLineCount = content.split('\n').length;
                 const replacement = fix.replacement ?? '';
+                // Use safe bounded matching to find replacements
+                const matchResult = safeMatch(fix.pattern, content, 'gi');
+                if (!matchResult) {
+                    logger.warn(`Safe match failed for pattern: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
+                if (matchResult.truncated) {
+                    logger.warn(`Fix pattern execution truncated for safety: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
+                // Apply replacement safely
                 newContent = content.replace(regex, replacement);
                 const newLineCount = newContent.split('\n').length;
-                linesModified = Math.abs(newLineCount - originalLineCount);
-                // Count actual replacements
-                const matches = content.match(regex);
-                if (matches) {
-                    linesModified = Math.max(linesModified, matches.length);
-                }
+                linesModified = Math.max(Math.abs(newLineCount - originalLineCount), matchResult.matches.length);
                 break;
             }
             case 'remove': {
-                const regex = new RegExp(fix.pattern, 'gi');
+                const regex = compileSafePattern(fix.pattern, 'gi');
+                if (!regex) {
+                    logger.warn(`Unsafe fix pattern rejected: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
                 const lines = content.split('\n');
-                const filteredLines = lines.filter(line => !regex.test(line));
+                const filteredLines = lines.filter(line => {
+                    const isMatch = safeTest(fix.pattern, line, 'i');
+                    return !isMatch;
+                });
                 newContent = filteredLines.join('\n');
                 linesModified = lines.length - filteredLines.length;
                 break;
             }
             case 'quarantine': {
-                // For quarantine, we comment out the problematic lines
-                const regex = new RegExp(fix.pattern, 'gi');
+                const regex = compileSafePattern(fix.pattern, 'gi');
+                if (!regex) {
+                    logger.warn(`Unsafe fix pattern rejected: ${fix.pattern}`);
+                    return { success: false, newContent: content, linesModified: 0 };
+                }
                 const lines = content.split('\n');
                 for (let i = 0; i < lines.length; i++) {
                     const line = lines[i] ?? '';
-                    if (regex.test(line)) {
+                    const isMatch = safeTest(fix.pattern, line, 'i');
+                    if (isMatch) {
                         lines[i] = `# QUARANTINED: ${line}`;
                         linesModified++;
                     }
@@ -191,25 +220,22 @@ function findApplicableFixes(finding) {
     }
     // Check built-in fixes
     for (const fix of BUILTIN_FIXES) {
-        try {
-            const regex = new RegExp(fix.pattern, 'i');
-            // Check if fix pattern matches the finding
-            if (regex.test(finding.match) || regex.test(finding.context.map(c => c.content).join('\n'))) {
-                applicableFixes.push(fix);
-            }
-            // Check by rule category
-            if (finding.category === 'credentials' && fix.description.includes('credential')) {
-                applicableFixes.push(fix);
-            }
-            if (finding.category === 'injection' && fix.description.includes('jailbreak')) {
-                applicableFixes.push(fix);
-            }
-            if (finding.category === 'permissions' && fix.description.includes('permission')) {
-                applicableFixes.push(fix);
-            }
+        // Use safe pattern matching
+        const matchesDirectly = safeTest(fix.pattern, finding.match, 'i');
+        const contextText = finding.context.map(c => c.content).join('\n');
+        const matchesContext = safeTest(fix.pattern, contextText, 'i');
+        if (matchesDirectly || matchesContext) {
+            applicableFixes.push(fix);
+        }
+        // Check by rule category
+        if (finding.category === 'credentials' && fix.description.includes('credential')) {
+            applicableFixes.push(fix);
+        }
+        if (finding.category === 'injection' && fix.description.includes('jailbreak')) {
+            applicableFixes.push(fix);
         }
-        catch {
-            logger.warn(`Invalid fix pattern: ${fix.pattern}`);
+        if (finding.category === 'permissions' && fix.description.includes('permission')) {
+            applicableFixes.push(fix);
         }
     }
     // Remove duplicates