getdoorman 1.0.0

package/src/rules/bugs/index.js

@@ -0,0 +1,73 @@
+import asyncRules from './js-async.js';
+import typeCoercionRules from './js-type-coercion.js';
+import arrayObjectRules from './js-array-object.js';
+import logicRules from './js-logic.js';
+import closureScopeRules from './js-closure-scope.js';
+import errorHandlingRules from './js-error-handling.js';
+import fixableRules from './js-async-fixable.js';
+import pythonRules from './python.js';
+import pythonFixableRules from './python-fixable.js';
+import generalRules from './general.js';
+import reactRules from './js-react.js';
+import nodeRules from './js-node.js';
+import aiCodegenRules from './ai-codegen.js';
+import apiRules from './js-api.js';
+import tsRules from './ts-bugs.js';
+import stateRules from './js-state.js';
+import pythonAdvancedRules from './python-advanced.js';
+import goRules from './go-bugs.js';
+import rubyRules from './ruby-bugs.js';
+import shellRules from './shell-bugs.js';
+import reactFixableRules from './react-fixable.js';
+import nodeFixableRules from './node-fixable.js';
+import aiCodegenFixableRules from './ai-codegen-fixable.js';
+import nextjsRules from './nextjs-bugs.js';
+import regexRules from './js-regex.js';
+import memoryRules from './js-memory.js';
+import a11yRules from './accessibility.js';
+import dockerRules from './docker-bugs.js';
+import databaseRules from './js-database.js';
+import nextjsFixableRules from './nextjs-fixable.js';
+import silentFailureRules from './silent-failures.js';
+import cryptoBugRules from './crypto-bugs.js';
+import codeSmellRules from './code-smell-bugs.js';
+import unusedVarsRules from './unused-vars.js';
+
+const allBugRules = [
+  ...asyncRules,
+  ...typeCoercionRules,
+  ...arrayObjectRules,
+  ...logicRules,
+  ...closureScopeRules,
+  ...errorHandlingRules,
+  ...fixableRules,
+  ...pythonRules,
+  ...pythonFixableRules,
+  ...generalRules,
+  ...reactRules,
+  ...nodeRules,
+  ...aiCodegenRules,
+  ...apiRules,
+  ...tsRules,
+  ...stateRules,
+  ...pythonAdvancedRules,
+  ...goRules,
+  ...rubyRules,
+  ...shellRules,
+  ...reactFixableRules,
+  ...nodeFixableRules,
+  ...aiCodegenFixableRules,
+  ...nextjsRules,
+  ...regexRules,
+  ...memoryRules,
+  ...a11yRules,
+  ...dockerRules,
+  ...databaseRules,
+  ...nextjsFixableRules,
+  ...silentFailureRules,
+  ...cryptoBugRules,
+  ...codeSmellRules,
+  ...unusedVarsRules,
+];
+
+export default allBugRules;

package/src/rules/bugs/js-api.js

@@ -0,0 +1,257 @@
+// Bug detection: API call and data fetching patterns
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-API-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'fetch() without checking response.ok',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\bfetch\s*\(/.test(lines[i]) && !/import|require|mock|test|spec/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 12, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            if (/\.json\s*\(\)/.test(block) && !/response\.ok|res\.ok|\.ok\b|\.status\s*[!=]==?\s*200|if\s*\(\s*!/.test(block)) {
+              findings.push({
+                ruleId: 'BUG-API-001', category: 'bugs', severity: 'high',
+                title: 'fetch() calls .json() without checking response.ok',
+                description: 'fetch() does not throw on HTTP errors (404, 500). Always check response.ok before parsing. A 500 response will still try to parse as JSON and give cryptic errors.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-002',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'API call without timeout',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\bfetch\s*\(\s*['"`\w]/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 6, lines.length); j++) {
+              block += lines[j];
+            }
+            if (!/signal|timeout|AbortController|setTimeout/.test(block)) {
+              findings.push({
+                ruleId: 'BUG-API-002', category: 'bugs', severity: 'medium',
+                title: 'fetch() without timeout — request can hang forever',
+                description: 'fetch() has no default timeout. Use AbortController with setTimeout to prevent hanging requests.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'No retry logic for network requests',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        // Only flag if file has multiple fetch/axios calls (it's an API-heavy file)
+        const fetchCount = (content.match(/\bfetch\s*\(|\baxios\.\w+\s*\(/g) || []).length;
+        if (fetchCount < 3) continue;
+        if (!/retry|retries|attempts|backoff|MAX_RETRIES/i.test(content)) {
+          findings.push({
+            ruleId: 'BUG-API-003', category: 'bugs', severity: 'medium',
+            title: `${fetchCount} API calls without retry logic — failures are permanent`,
+            description: 'Network requests fail transiently. API-heavy code should implement retry with exponential backoff for resilience.',
+            file: fp, line: 1, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Secrets in fetch/axios URL or headers',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // API key in URL query param
+          if (/\bfetch\s*\(.*[?&](api_?key|token|secret|password|key)=/i.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-API-004', category: 'bugs', severity: 'high',
+              title: 'API key/secret in URL query parameter — visible in logs and browser history',
+              description: 'Secrets in URLs are logged by servers, proxies, and browsers. Pass them in headers (Authorization) instead.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+          // Hardcoded bearer token
+          if (/['"`]Bearer\s+[a-zA-Z0-9_\-.]{20,}['"`]/.test(lines[i]) && !/process\.env|import\.meta\.env|\$\{/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-API-004', category: 'bugs', severity: 'high',
+              title: 'Hardcoded Bearer token in source code',
+              description: 'Bearer tokens should come from environment variables or secure config, not hardcoded in source.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-005',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Race condition in concurrent API calls',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Multiple independent awaits that could be parallel
+          if (/^\s*(?:const|let|var)\s+\w+\s*=\s*await\s/.test(lines[i])) {
+            let consecutiveAwaits = 1;
+            for (let j = i + 1; j < Math.min(i + 6, lines.length); j++) {
+              if (/^\s*(?:const|let|var)\s+\w+\s*=\s*await\s/.test(lines[j])) {
+                consecutiveAwaits++;
+              } else if (lines[j].trim() && !/^\s*\/\//.test(lines[j])) {
+                break;
+              }
+            }
+            if (consecutiveAwaits >= 3) {
+              findings.push({
+                ruleId: 'BUG-API-005', category: 'bugs', severity: 'medium',
+                title: `${consecutiveAwaits} sequential awaits that could run in parallel with Promise.all()`,
+                description: 'Sequential awaits for independent operations waste time. Use Promise.all([...]) to run them concurrently.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Sensitive data in URL path parameters',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // fetch(`/api/users/${email}`) or similar with PII in path
+          if (/fetch\s*\(\s*`[^`]*\$\{[^}]*(email|ssn|password|creditCard|cardNumber|ssn|phone|socialSecurity)[^}]*\}/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-API-006', category: 'bugs', severity: 'high',
+              title: 'Sensitive data (PII) in URL path — logged by servers and CDNs',
+              description: 'URLs with PII are logged everywhere. Send sensitive data in the request body (POST) or encrypted headers.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-007',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Large payload without pagination',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        // API route that returns all records
+        if (!/express|fastify|router/.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.(get)\s*\(\s*['"`].*(?:\/all|\/list|s['"`])/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 20, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            if (/\.(find|findAll|findMany|select)\s*\(\s*(?:\{\s*\})?\s*\)/.test(block) && !/limit|skip|offset|page|cursor|pagina/i.test(block)) {
+              findings.push({
+                ruleId: 'BUG-API-007', category: 'bugs', severity: 'medium',
+                title: 'API endpoint returns all records without pagination',
+                description: 'Returning all records crashes with large datasets. Add pagination (limit/offset or cursor-based).',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-API-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'DELETE endpoint without authentication check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        if (!/express|fastify|router/.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.delete\s*\(\s*['"`]/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 15, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            if (!/auth|authenticate|authorize|isAdmin|isLoggedIn|protect|guard|middleware|jwt|token|session|req\.user/.test(block)) {
+              findings.push({
+                ruleId: 'BUG-API-008', category: 'bugs', severity: 'high',
+                title: 'DELETE endpoint without authentication — anyone can delete resources',
+                description: 'AI generators often create CRUD endpoints without auth middleware on destructive operations.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/js-array-object.js

@@ -0,0 +1,210 @@
+// Bug detection: JavaScript array/object mutation bugs
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-ARR-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Array modified during iteration — splice/push/shift in for loop',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        let inForLoop = 0;
+        let loopArrayName = null;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          const forMatch = line.match(/for\s*\(\s*(?:let|var|const)\s+\w+\s*(?:=\s*0|of|in)\s*(?:;|\s)?\s*(?:\w+\.length|(\w+))/);
+          if (forMatch) { inForLoop++; loopArrayName = forMatch[1]; }
+          if (/\.forEach\s*\(/.test(line) || /\.map\s*\(/.test(line)) { inForLoop++; }
+          if (inForLoop > 0) {
+            if (/\.(splice|push|pop|shift|unshift)\s*\(/.test(line)) {
+              findings.push({
+                ruleId: 'BUG-ARR-001', category: 'bugs', severity: 'high',
+                title: 'Array modified during iteration — indices shift, elements skipped',
+                description: 'Calling splice/push/shift on an array while iterating over it causes elements to be skipped or processed twice. Iterate over a copy or collect changes.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+          if (/\}/.test(line) && inForLoop > 0) inForLoop--;
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ARR-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'delete on array element — leaves a hole, does not re-index',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/delete\s+\w+\[\d+\]/.test(lines[i]) || /delete\s+\w+\[\w+\]/.test(lines[i])) {
+            const context = lines.slice(Math.max(0, i - 3), i + 1).join('\n');
+            if (/(?:array|arr|list|items|results|data)\b/i.test(context) || /\[\s*\d/.test(context)) {
+              findings.push({
+                ruleId: 'BUG-ARR-002', category: 'bugs', severity: 'high',
+                title: 'delete on array element — creates sparse array with holes',
+                description: 'delete arr[i] sets the element to undefined but keeps the index. Use arr.splice(i, 1) to actually remove it.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ARR-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'return inside forEach has no effect on outer function',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        let forEachDepth = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/\.forEach\s*\(/.test(line)) forEachDepth++;
+          if (forEachDepth > 0 && /\breturn\b/.test(line) && !/return\s*;/.test(line)) {
+            // return with a value inside forEach — likely trying to return from outer function
+            findings.push({
+              ruleId: 'BUG-ARR-003', category: 'bugs', severity: 'high',
+              title: 'return inside forEach — does not return from outer function',
+              description: 'return inside forEach only exits the current callback iteration. Use for...of, .find(), .some(), or .filter() instead.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+          if (/\}/.test(line) && forEachDepth > 0) forEachDepth--;
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ARR-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Array.includes() with NaN — always returns false for indexOf',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.indexOf\s*\(\s*NaN\s*\)/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-ARR-004', category: 'bugs', severity: 'medium',
+              title: 'indexOf(NaN) always returns -1 — NaN !== NaN',
+              description: 'Array.indexOf() uses strict equality. Since NaN !== NaN, indexOf(NaN) never finds it. Use Array.includes(NaN) or Array.findIndex(Number.isNaN).',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ARR-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Spread in reduce accumulator — O(n^2) copy on each iteration',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        let inReduce = 0;
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.reduce\s*\(/.test(lines[i])) inReduce = 5;
+          if (inReduce > 0) {
+            if (/\[\s*\.\.\.(?:acc|prev|result|memo)/.test(lines[i]) || /\{\s*\.\.\.(?:acc|prev|result|memo)/.test(lines[i])) {
+              findings.push({
+                ruleId: 'BUG-ARR-005', category: 'bugs', severity: 'high',
+                title: 'Spread in reduce accumulator — creates O(n^2) copies',
+                description: 'Spreading the accumulator in reduce copies the entire array/object every iteration. Use push() or direct mutation on the accumulator.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+            inReduce--;
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ARR-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Off-by-one: loop uses <= array.length instead of <',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\w+\s*<=\s*\w+\.length\b/.test(lines[i]) && /for\s*\(/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-ARR-006', category: 'bugs', severity: 'high',
+              title: 'Off-by-one: i <= arr.length accesses undefined element',
+              description: 'Array indices go from 0 to length-1. Using <= causes an access at arr[arr.length] which is undefined.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-ARR-007',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'String.replace() without /g flag — only replaces first occurrence',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // .replace("string", ...) or .replace('string', ...)
+          if (/\.replace\s*\(\s*['"][^'"]+['"]/.test(line) && !line.includes('replaceAll')) {
+            // Check if the context suggests they want all occurrences
+            if (/(?:all|every|each|clean|strip|remove|sanitize)/i.test(line)) {
+              findings.push({
+                ruleId: 'BUG-ARR-007', category: 'bugs', severity: 'medium',
+                title: 'String.replace() with string arg — only replaces first match',
+                description: '.replace("x", "y") only replaces the first occurrence. Use .replaceAll() or .replace(/x/g, "y") for all matches.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;