getdoorman 1.0.0

package/src/rules/bugs/js-react.js

@@ -0,0 +1,373 @@
+// Bug detection: React/JSX patterns that Claude generates incorrectly
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx'];
+function isJSX(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-REACT-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'setState inside useEffect without dependency array',
+    description: 'Calling setState in useEffect without deps causes infinite re-render loops.',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/useEffect\(\s*\(\)\s*=>\s*\{/.test(lines[i]) || /useEffect\(\s*(?:async\s*)?\(\)\s*=>/.test(lines[i])) {
+            // Look for setState in the next 15 lines, and check if there's a dep array
+            let hasSetState = false;
+            let hasDepArray = false;
+            let braceDepth = 0;
+            for (let j = i; j < Math.min(i + 25, lines.length); j++) {
+              if (/set[A-Z]\w*\(/.test(lines[j])) hasSetState = true;
+              braceDepth += (lines[j].match(/\{/g) || []).length - (lines[j].match(/\}/g) || []).length;
+              if (braceDepth <= 0 || /\}\s*,\s*\[/.test(lines[j]) || /^\s*\]\s*\)\s*;?\s*$/.test(lines[j])) {
+                if (/\]\s*\)/.test(lines[j])) hasDepArray = true;
+                if (braceDepth <= 0) {
+                  if (j + 1 < lines.length && /^\s*\]\s*\)/.test(lines[j + 1])) hasDepArray = true;
+                  break;
+                }
+              }
+            }
+            if (hasSetState && !hasDepArray) {
+              findings.push({
+                ruleId: 'BUG-REACT-001', category: 'bugs', severity: 'high',
+                title: 'setState inside useEffect without dependency array — infinite loop',
+                description: 'useEffect with setState but no dependency array will re-render infinitely. Add a dependency array.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Direct state mutation instead of setState',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        // First find useState declarations to know state variable names
+        const stateVars = new Set();
+        for (const line of lines) {
+          const m = line.match(/const\s+\[(\w+)\s*,\s*set\w+\]\s*=\s*useState/);
+          if (m) stateVars.add(m[1]);
+        }
+        if (stateVars.size === 0) continue;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          for (const sv of stateVars) {
+            // Direct mutation patterns: state.push(), state[x] = y, state.splice(), state.sort()
+            const mutateRe = new RegExp(`\\b${sv}\\s*\\.\\s*(push|pop|shift|unshift|splice|sort|reverse|fill)\\s*\\(`);
+            const assignRe = new RegExp(`\\b${sv}\\s*\\[.+\\]\\s*=`);
+            const propAssignRe = new RegExp(`\\b${sv}\\s*\\.\\s*\\w+\\s*=`);
+            if (mutateRe.test(line) || assignRe.test(line) || propAssignRe.test(line)) {
+              findings.push({
+                ruleId: 'BUG-REACT-002', category: 'bugs', severity: 'high',
+                title: `Direct mutation of state variable "${sv}" — use set${sv.charAt(0).toUpperCase() + sv.slice(1)}() instead`,
+                description: 'Mutating state directly bypasses React\'s reactivity. Use the setter function with a new copy.',
+                file: fp, line: i + 1, fix: null,
+              });
+              break;
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'async useEffect callback',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/useEffect\(\s*async/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-REACT-003', category: 'bugs', severity: 'high',
+              title: 'async function passed directly to useEffect',
+              description: 'useEffect callbacks cannot be async (React expects a cleanup function or undefined). Wrap in an inner async function.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing key prop in list rendering',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // .map(() => <Component ... without key=
+          if (/\.map\s*\(/.test(lines[i])) {
+            let jsxBlock = '';
+            for (let j = i; j < Math.min(i + 8, lines.length); j++) {
+              jsxBlock += lines[j];
+            }
+            // Has JSX return but no key prop
+            if (/<\w+/.test(jsxBlock) && !jsxBlock.includes('key=') && !jsxBlock.includes('key ={')) {
+              findings.push({
+                ruleId: 'BUG-REACT-004', category: 'bugs', severity: 'medium',
+                title: 'List rendering with .map() missing key prop',
+                description: 'React needs a unique key prop on list items for efficient reconciliation. Using index as key is also an anti-pattern for dynamic lists.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-005',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Using array index as key in dynamic list',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // .map((item, index) ... key={index} or key={i}
+          if (/\.map\s*\(\s*\(\s*\w+\s*,\s*(\w+)\s*\)/.test(lines[i])) {
+            const indexVar = lines[i].match(/\.map\s*\(\s*\(\s*\w+\s*,\s*(\w+)\s*\)/)[1];
+            let block = '';
+            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            const keyRe = new RegExp(`key\\s*=\\s*\\{\\s*${indexVar}\\s*\\}`);
+            if (keyRe.test(block)) {
+              findings.push({
+                ruleId: 'BUG-REACT-005', category: 'bugs', severity: 'medium',
+                title: 'Array index used as key — causes bugs with reordering, insertion, deletion',
+                description: 'Using array index as key causes React to misidentify elements when the list changes. Use a stable unique ID instead.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-006',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'useEffect cleanup not returned',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/useEffect\(\s*\(\)\s*=>/.test(lines[i])) {
+            let block = '';
+            let braceDepth = 0;
+            let endLine = i;
+            for (let j = i; j < Math.min(i + 30, lines.length); j++) {
+              block += lines[j] + '\n';
+              braceDepth += (lines[j].match(/\{/g) || []).length - (lines[j].match(/\}/g) || []).length;
+              if (braceDepth <= 0 && j > i) { endLine = j; break; }
+            }
+            // Has event listener or interval/timeout but no cleanup return
+            const hasSubscription = /addEventListener|setInterval|setTimeout|subscribe|on\(/.test(block);
+            const hasCleanup = /return\s*\(\)\s*=>|return\s+function/.test(block);
+            if (hasSubscription && !hasCleanup) {
+              findings.push({
+                ruleId: 'BUG-REACT-006', category: 'bugs', severity: 'high',
+                title: 'useEffect with subscription/listener but no cleanup function',
+                description: 'Event listeners, intervals, and subscriptions in useEffect must be cleaned up by returning a cleanup function. Otherwise they leak on unmount.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-007',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Stale closure in useCallback/useMemo with missing dependencies',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // useCallback or useMemo with empty dep array
+          if (/use(Callback|Memo)\s*\(/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 15, lines.length); j++) {
+              block += lines[j] + '\n';
+              if (/\]\s*\)\s*;?\s*$/.test(lines[j])) break;
+            }
+            // Empty dependency array but references state variables (set* pattern)
+            if (/,\s*\[\s*\]\s*\)/.test(block)) {
+              // Check if the callback body references any outer variables (heuristic)
+              const bodyMatch = block.match(/\(\s*\)\s*=>\s*\{([\s\S]*)\}\s*,/);
+              if (bodyMatch) {
+                const body = bodyMatch[1];
+                // References state vars or props
+                if (/\b(props|state|data|items|user|count|value|loading|error|result)\b/.test(body)) {
+                  findings.push({
+                    ruleId: 'BUG-REACT-007', category: 'bugs', severity: 'medium',
+                    title: 'useCallback/useMemo with empty deps may have stale closure',
+                    description: 'Empty dependency array means the memoized value/callback never updates. If it reads reactive values, they\'ll be stale.',
+                    file: fp, line: i + 1, fix: null,
+                  });
+                }
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-008',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Conditional hook call',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        let inCondition = 0;
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/^\s*if\s*\(/.test(line) || /^\s*else\b/.test(line)) {
+            inCondition = 3; // track for next few lines
+          }
+          if (inCondition > 0) {
+            inCondition--;
+            if (/\buse(State|Effect|Memo|Callback|Ref|Context|Reducer|LayoutEffect|ImperativeHandle)\s*\(/.test(line)) {
+              findings.push({
+                ruleId: 'BUG-REACT-008', category: 'bugs', severity: 'high',
+                title: 'React hook called conditionally — violates Rules of Hooks',
+                description: 'Hooks must be called in the same order on every render. Conditional hooks cause crashes and bugs.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-009',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Object/array literal as default prop or in dependency array',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Inline object/array in useEffect/useMemo/useCallback dep array
+          if (/use(Effect|Memo|Callback)\s*\(/.test(lines[Math.max(0, i - 10)]?.concat(lines[i]) || '')) {
+            // Check for object/array literals in dependency arrays: , [{}, [], {key: val}])
+            if (/\[\s*(?:\{[^}]*\}|\[[^\]]*\])\s*\]\s*\)/.test(line)) {
+              findings.push({
+                ruleId: 'BUG-REACT-009', category: 'bugs', severity: 'medium',
+                title: 'Object/array literal in dependency array — triggers on every render',
+                description: 'Inline objects/arrays create new references each render, making the dependency array useless. Extract to useMemo or a constant.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+          // Default prop as object literal: function Component({ data = {} })
+          if (/function\s+[A-Z]\w*\s*\(\s*\{[^}]*=\s*(\[\s*\]|\{\s*\})/.test(line)) {
+            findings.push({
+              ruleId: 'BUG-REACT-009', category: 'bugs', severity: 'medium',
+              title: 'Inline default prop creates new reference each render',
+              description: 'Default values like `= {}` or `= []` in destructured props create new references on every render, breaking memoization.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REACT-010',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'setState with stale state reference',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        const stateSetters = new Map();
+        for (const line of lines) {
+          const m = line.match(/const\s+\[(\w+)\s*,\s*(set\w+)\]\s*=\s*useState/);
+          if (m) stateSetters.set(m[2], m[1]);
+        }
+        for (let i = 0; i < lines.length; i++) {
+          for (const [setter, stateVar] of stateSetters) {
+            // setCount(count + 1) instead of setCount(prev => prev + 1)
+            const staleRe = new RegExp(`${setter}\\s*\\(\\s*${stateVar}\\s*[+\\-*/]`);
+            if (staleRe.test(lines[i])) {
+              // Check it's not already using functional form
+              const funcRe = new RegExp(`${setter}\\s*\\(\\s*\\w+\\s*=>`);
+              if (!funcRe.test(lines[i])) {
+                findings.push({
+                  ruleId: 'BUG-REACT-010', category: 'bugs', severity: 'medium',
+                  title: `${setter}(${stateVar} + ...) uses stale state — use functional update`,
+                  description: `Use ${setter}(prev => prev + ...) to avoid stale state bugs, especially in event handlers and async code.`,
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/js-regex.js

@@ -0,0 +1,200 @@
+// Bug detection: Regex patterns — ReDoS, common mistakes
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+function isJS(f) { return JS_EXT.some(e => f.endsWith(e)); }
+function isPy(f) { return f.endsWith('.py'); }
+function isSource(f) { return isJS(f) || isPy(f) || f.endsWith('.go') || f.endsWith('.rb'); }
+
+const rules = [
+  {
+    id: 'BUG-REGEX-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'ReDoS — regex with catastrophic backtracking potential',
+    check({ files }) {
+      const findings = [];
+      // Patterns that cause catastrophic backtracking: nested quantifiers, overlapping alternation
+      const redosPatterns = [
+        /\([^)]*[+*][^)]*\)[+*]/,         // (a+)+ or (a*)*
+        /\([^)]*\|[^)]*\)[+*]/,           // (a|a)+ overlapping alternation with quantifier
+        /\.\*[^?].*\.\*/,                  // .* ... .* without lazy
+        /\([^)]+\+\)\{/,                   // (a+){n,m}
+      ];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          // Find regex literals and new RegExp()
+          const regexMatches = [
+            ...line.matchAll(/\/([^/\n]{5,})\/[gimsuvy]*/g),
+            ...line.matchAll(/new\s+RegExp\s*\(\s*['"`]([^'"`]{5,})['"`]/g),
+          ];
+          for (const m of regexMatches) {
+            const pattern = m[1];
+            for (const redos of redosPatterns) {
+              if (redos.test(pattern)) {
+                findings.push({
+                  ruleId: 'BUG-REGEX-001', category: 'bugs', severity: 'high',
+                  title: 'Regex with catastrophic backtracking (ReDoS) potential',
+                  description: 'This regex has nested quantifiers or overlapping patterns that can cause exponential backtracking. An attacker can craft input that hangs the process. Use atomic groups or rewrite the pattern.',
+                  file: fp, line: i + 1, fix: null,
+                });
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REGEX-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'User input passed to new RegExp() — regex injection',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // new RegExp(variable) or new RegExp(req.something)
+          if (/new\s+RegExp\s*\(\s*(?:req\.|params|query|input|user|body|search|filter|pattern|term|keyword)\w*/i.test(lines[i])) {
+            // Check if escaped
+            const context = lines.slice(Math.max(0, i - 3), i + 1).join('\n');
+            if (!/escapeRegex|escapeRegExp|escape.*[Rr]eg|sanitize|lodash.*escape|_.escape/.test(context)) {
+              findings.push({
+                ruleId: 'BUG-REGEX-002', category: 'bugs', severity: 'high',
+                title: 'User input in new RegExp() — regex injection and ReDoS risk',
+                description: 'User input must be escaped before passing to RegExp. Use a helper: str.replace(/[.*+?^${}()|[\\]\\\\]/g, "\\\\$&")',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REGEX-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Email regex too simple — rejects valid addresses',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSource(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Common too-simple email regex patterns
+          if (/email|mail/i.test(lines[i]) && /\/\^?\[?\\?[ws@.\-+]+\$?\//i.test(lines[i])) {
+            // Check if it's a validation regex that's too simple
+            if (/\.\+@\.\+\.\.\+/.test(lines[i]) || /\\w\+@\\w\+/.test(lines[i]) || /\[a-z\].*@.*\[a-z\]/.test(lines[i])) {
+              findings.push({
+                ruleId: 'BUG-REGEX-003', category: 'bugs', severity: 'medium',
+                title: 'Email validation regex too simple — rejects valid emails',
+                description: 'Simple email regexes reject valid addresses (plus-addressing, dots, international domains). Use a library or the HTML5 email input type.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REGEX-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'Regex special char not escaped in new RegExp(string)',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // new RegExp("string.with.dots") — dots should be \.
+          const m = lines[i].match(/new\s+RegExp\s*\(\s*(['"`])([^'"`]+)\1\s*\)/);
+          if (m) {
+            const pattern = m[2];
+            // Has unescaped dots that look like literal dots (not \.)
+            if (/[^\\]\.[^*+?{(|]/.test(pattern) && !/\[.*\..*\]/.test(pattern)) {
+              if (/\.\w+\b/.test(pattern)) { // looks like literal string matching
+                findings.push({
+                  ruleId: 'BUG-REGEX-004', category: 'bugs', severity: 'medium',
+                  title: 'Unescaped dot in RegExp string — matches any character, not literal "."',
+                  description: 'In regex, "." matches any character. To match a literal dot, use "\\\\." in the string. In a RegExp string, you need double backslash.',
+                  file: fp, line: i + 1, fix: null,
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REGEX-005',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Regex used for URL/path validation without anchors',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // .test() or .match() with a URL/path pattern without ^ and $
+          if (/\.(test|match)\s*\(\s*\/(?!.*\^)(?!.*\$).*(?:https?|www\.|\.com|api\/|\/\w+\/)/i.test(lines[i])) {
+            if (/valid|check|is[A-Z]|allow|block|filter/.test(lines[i]) || /valid|check|is[A-Z]|allow/.test(lines[Math.max(0, i - 2)])) {
+              findings.push({
+                ruleId: 'BUG-REGEX-005', category: 'bugs', severity: 'medium',
+                title: 'URL/path regex without anchors (^ $) — partial matches bypass validation',
+                description: 'Without ^ and $, the regex matches substrings. "https://evil.com/https://safe.com" would pass a check for safe.com. Add ^ and $ anchors.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-REGEX-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'replaceAll with regex missing /g flag',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // .replaceAll(/pattern/) without g flag — throws TypeError
+          if (/\.replaceAll\s*\(\s*\/[^/]+\/(?![gimsuvy]*g)/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-REGEX-006', category: 'bugs', severity: 'medium',
+              title: '.replaceAll() with regex missing /g flag — throws TypeError',
+              description: 'String.replaceAll() requires the /g flag when used with a regex. Without it, JavaScript throws a TypeError at runtime.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;