getdoorman 1.0.0

package/src/rules/bugs/react-fixable.js

@@ -0,0 +1,207 @@
+// Auto-fixable React bug patterns
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx'];
+function isJSX(f) { return JS_EXT.some(e => f.endsWith(e)); }
+
+const rules = [
+  {
+    id: 'BUG-RFIX-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'async useEffect → wrap in inner function',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const match = lines[i].match(/^(\s*)useEffect\(\s*async\s*\(\)\s*=>\s*\{/);
+          if (match) {
+            findings.push({
+              ruleId: 'BUG-RFIX-001', category: 'bugs', severity: 'high',
+              title: 'async useEffect → wrap in inner IIFE',
+              description: 'useEffect cannot be async. Wrap the async logic in an inner function.',
+              file: fp, line: i + 1,
+              fix: {
+                type: 'replace',
+                old: 'useEffect(async () => {',
+                new: `useEffect(() => {\n${match[1]}  const run = async () => {`,
+              },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RFIX-002',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'console.log in JSX component → remove',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp)) continue;
+        if (!/function\s+[A-Z]|const\s+[A-Z]\w+\s*=/.test(content)) continue; // Only React components
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*console\.log\s*\(/.test(lines[i]) && /\)\s*;?\s*$/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-RFIX-002', category: 'bugs', severity: 'medium',
+              title: 'Debug console.log left in component',
+              description: 'Remove debug logging from production components.',
+              file: fp, line: i + 1,
+              fix: {
+                type: 'replace',
+                old: lines[i],
+                new: '',
+              },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RFIX-003',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: '@ts-ignore → @ts-expect-error',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!fp.endsWith('.ts') && !fp.endsWith('.tsx')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/@ts-ignore/.test(lines[i]) && !/@ts-expect-error/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-RFIX-003', category: 'bugs', severity: 'medium',
+              title: '@ts-ignore → @ts-expect-error (will warn when suppression is unnecessary)',
+              file: fp, line: i + 1,
+              fix: {
+                type: 'replace',
+                old: '@ts-ignore',
+                new: '@ts-expect-error',
+              },
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RFIX-004',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'return next() pattern fix for Express middleware',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp) && !fp.endsWith('.js') && !fp.endsWith('.mjs')) continue;
+        if (!/express|middleware|router/.test(content)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // next() on its own line (not return next())
+          if (/^\s+next\s*\(\s*\)\s*;?\s*$/.test(lines[i]) && !/return/.test(lines[i])) {
+            // Check if there's code after
+            const nextLine = lines[i + 1]?.trim();
+            if (nextLine && nextLine !== '}' && nextLine !== '});' && !nextLine.startsWith('//')) {
+              findings.push({
+                ruleId: 'BUG-RFIX-004', category: 'bugs', severity: 'high',
+                title: 'next() without return — add return to prevent continued execution',
+                file: fp, line: i + 1,
+                fix: {
+                  type: 'replace',
+                  old: lines[i],
+                  new: lines[i].replace(/(\s*)next\s*\(\s*\)/, '$1return next()'),
+                },
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RFIX-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'fetch without response.ok check → add check',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp) && !fp.endsWith('.js') && !fp.endsWith('.mjs')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // const response = await fetch(...)
+          const match = lines[i].match(/^(\s*)(?:const|let)\s+(response|res)\s*=\s*await\s+fetch\s*\(/);
+          if (match) {
+            const varName = match[2];
+            // Check next line for immediate .json() without ok check
+            if (i + 1 < lines.length) {
+              const nextLine = lines[i + 1];
+              if (new RegExp(`${varName}\\.json\\s*\\(`).test(nextLine) && !/\.ok/.test(nextLine)) {
+                findings.push({
+                  ruleId: 'BUG-RFIX-005', category: 'bugs', severity: 'high',
+                  title: `Add response.ok check after fetch`,
+                  file: fp, line: i + 1,
+                  fix: {
+                    type: 'replace',
+                    old: lines[i],
+                    new: `${lines[i]}\n${match[1]}if (!${varName}.ok) throw new Error(\`HTTP \${${varName}.status}: \${${varName}.statusText}\`);`,
+                  },
+                });
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RFIX-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'export let → export const for non-reassigned exports',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJSX(fp) && !fp.endsWith('.js') && !fp.endsWith('.mjs')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^export\s+let\s+(\w+)\s*=/.test(lines[i])) {
+            const varName = lines[i].match(/export\s+let\s+(\w+)/)[1];
+            // Check if the variable is reassigned later
+            const rest = lines.slice(i + 1).join('\n');
+            const reassignRe = new RegExp(`^\\s*${varName}\\s*=(?!=)`, 'm');
+            if (!reassignRe.test(rest)) {
+              findings.push({
+                ruleId: 'BUG-RFIX-006', category: 'bugs', severity: 'medium',
+                title: `export let "${varName}" → export const (never reassigned)`,
+                file: fp, line: i + 1,
+                fix: {
+                  type: 'replace',
+                  old: `export let ${varName}`,
+                  new: `export const ${varName}`,
+                },
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/ruby-bugs.js

@@ -0,0 +1,182 @@
+// Bug detection: Ruby common patterns AI generators get wrong
+function isRuby(f) { return f.endsWith('.rb') || f.endsWith('.erb'); }
+
+const rules = [
+  {
+    id: 'BUG-RUBY-001',
+    category: 'bugs',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Mass assignment vulnerability — permit all params',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isRuby(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/params\.permit!/.test(lines[i]) || /\.permit\(\s*!\s*\)/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-RUBY-001', category: 'bugs', severity: 'high',
+              title: 'params.permit! allows ALL parameters — mass assignment vulnerability',
+              description: 'permit! allows all params including admin, role, password. Always whitelist: params.require(:user).permit(:name, :email).',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RUBY-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'N+1 query in loop',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isRuby(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.each\s+do\s*\|/.test(lines[i]) || /\.map\s+do\s*\|/.test(lines[i])) {
+            let block = '';
+            for (let j = i; j < Math.min(i + 10, lines.length); j++) {
+              block += lines[j] + '\n';
+            }
+            // Database queries inside loop
+            if (/\.(find|find_by|where|count|exists\?|first|last|pluck)\b/.test(block)) {
+              findings.push({
+                ruleId: 'BUG-RUBY-002', category: 'bugs', severity: 'high',
+                title: 'N+1 query — database call inside loop',
+                description: 'Each iteration makes a separate DB query. Use .includes(:association) or .eager_load() to batch queries.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RUBY-003',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'SQL injection via string interpolation',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isRuby(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // .where("column = #{var}") — SQL injection
+          if (/\.where\s*\(\s*"[^"]*#\{/.test(lines[i]) || /\.where\s*\(\s*'[^']*#\{/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-RUBY-003', category: 'bugs', severity: 'high',
+              title: 'SQL injection — string interpolation in ActiveRecord .where()',
+              description: 'Use parameterized queries: .where("column = ?", value) or .where(column: value) instead of string interpolation.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RUBY-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Rescue without specific exception class',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isRuby(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // rescue without exception class (catches StandardError) or rescue Exception (catches everything)
+          if (/^\s*rescue\s*$/.test(lines[i]) || /^\s*rescue\s*=>/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-RUBY-004', category: 'bugs', severity: 'medium',
+              title: 'Bare rescue catches StandardError — specify exception class',
+              description: 'Bare rescue catches too many exceptions. Use rescue SpecificError => e to handle only expected errors.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+          if (/^\s*rescue\s+Exception\b/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-RUBY-004', category: 'bugs', severity: 'medium',
+              title: 'rescue Exception catches EVERYTHING including SignalException and SystemExit',
+              description: 'rescue Exception catches Ctrl+C, kill signals, and syntax errors. Use rescue StandardError or a specific error class.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RUBY-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unscoped find — users can access any record',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isRuby(fp)) continue;
+        if (!/controller/i.test(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Model.find(params[:id]) without scoping to current_user
+          if (/[A-Z]\w+\.find\s*\(\s*params\[/.test(lines[i])) {
+            const context = lines.slice(Math.max(0, i - 5), i + 1).join('\n');
+            if (!/current_user|@user|authorize|policy|scope/.test(context)) {
+              findings.push({
+                ruleId: 'BUG-RUBY-005', category: 'bugs', severity: 'high',
+                title: 'Unscoped Model.find(params[:id]) — any user can access any record',
+                description: 'Use current_user.posts.find(params[:id]) instead of Post.find(params[:id]) to enforce authorization.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-RUBY-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'html_safe on user input — XSS vulnerability',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isRuby(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/\.(html_safe|raw)\b/.test(lines[i])) {
+            // Check if it involves user input or params
+            if (/params|@\w+|user|input|content|body|text|message|comment|name|title/.test(lines[i])) {
+              findings.push({
+                ruleId: 'BUG-RUBY-006', category: 'bugs', severity: 'medium',
+                title: '.html_safe or raw() on potentially user-controlled content — XSS',
+                description: 'html_safe bypasses Rails XSS protection. Use sanitize() helper for user content that needs HTML.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/bugs/shell-bugs.js

@@ -0,0 +1,181 @@
+// Bug detection: Shell script bugs that AI generators commonly produce
+function isSh(f) { return f.endsWith('.sh') || f.endsWith('.bash') || f.endsWith('.zsh'); }
+
+const rules = [
+  {
+    id: 'BUG-SH-001',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Unquoted variable expansion — word splitting and globbing bugs',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSh(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (/^\s*#/.test(line)) continue;
+          // $VAR without quotes in commands (not inside [[ ]] or assignments)
+          if (/\s\$\w+\b/.test(line) && !/"\$/.test(line) && !/'\$/.test(line) && !/\[\[/.test(line) && !/^\s*\w+=/.test(line)) {
+            if (/\b(cp|mv|rm|cat|echo|cd|mkdir|chmod|chown|ls|grep|find|test)\b/.test(line)) {
+              findings.push({
+                ruleId: 'BUG-SH-001', category: 'bugs', severity: 'high',
+                title: 'Unquoted variable in command — breaks on spaces and special chars',
+                description: 'Always quote variables: "$VAR" not $VAR. Unquoted variables undergo word splitting and glob expansion.',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SH-002',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Missing error handling — no set -e or error checks',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSh(fp)) continue;
+        const hasSetE = /set\s+-e|set\s+-o\s+errexit/.test(content);
+        const hasTraps = /trap\s+/.test(content);
+        const lineCount = content.split('\n').length;
+        if (!hasSetE && !hasTraps && lineCount > 10) {
+          // Check if there are any error checks at all
+          const hasChecks = /\|\|\s*(exit|echo|die)|if\s+\[\s*\$\?\s*-ne\s*0|&&\s*\{/.test(content);
+          if (!hasChecks) {
+            findings.push({
+              ruleId: 'BUG-SH-002', category: 'bugs', severity: 'high',
+              title: 'Shell script without error handling — failures are silent',
+              description: 'Add "set -euo pipefail" at the top of the script. Without it, commands that fail are silently ignored and the script continues.',
+              file: fp, line: 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SH-003',
+    category: 'bugs',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'rm -rf with variable that could be empty',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSh(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // rm -rf $VAR/ or rm -rf ${VAR}/ — if VAR is empty, this becomes rm -rf /
+          if (/rm\s+-rf?\s+\$\w+\/|rm\s+-rf?\s+\$\{\w+\}\//.test(lines[i])) {
+            // Check if variable is validated before
+            const varName = lines[i].match(/\$\{?(\w+)\}?\//)[1];
+            const before = content.split('\n').slice(0, i).join('\n');
+            if (!new RegExp(`if\\s+\\[.*-[nz].*${varName}|\\$\\{${varName}:?-`).test(before)) {
+              findings.push({
+                ruleId: 'BUG-SH-003', category: 'bugs', severity: 'high',
+                title: `rm -rf with unchecked variable $${varName} — could delete root if empty`,
+                description: 'If the variable is empty, "rm -rf $VAR/" becomes "rm -rf /". Always check: ${VAR:?Variable not set} or test -n "$VAR".',
+                file: fp, line: i + 1, fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SH-004',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'definite',
+    title: 'Using [ ] instead of [[ ]] for string comparison',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSh(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // [ "$var" = "val" ] — should be [[ ]]
+          if (/\[\s+"?\$\w+"?\s*=\s+/.test(lines[i]) && !/\[\[/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-SH-004', category: 'bugs', severity: 'medium',
+              title: '[ ] for string comparison — use [[ ]] to avoid word splitting issues',
+              description: '[[ ]] is safer: no word splitting, no glob expansion, supports && || and regex. Use [[ ]] in bash scripts.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SH-005',
+    category: 'bugs',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Parsing ls output — brittle and breaks on special filenames',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSh(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/for\s+\w+\s+in\s+\$\(ls\b/.test(lines[i]) || /\bls\b.*\|\s*(while|xargs|awk|sed|grep)/.test(lines[i])) {
+            findings.push({
+              ruleId: 'BUG-SH-005', category: 'bugs', severity: 'high',
+              title: 'Parsing ls output — breaks on filenames with spaces/newlines',
+              description: 'Use glob patterns (for f in *.txt) or find with -exec/-print0 instead of parsing ls output.',
+              file: fp, line: i + 1, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'BUG-SH-006',
+    category: 'bugs',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'TOCTOU race — test then use pattern',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isSh(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // if [ -f "$file" ]; then ... cat/rm/mv "$file"
+          if (/if\s+\[\[?\s+-[fde]\s+/.test(lines[i])) {
+            const fileVar = lines[i].match(/\-[fde]\s+"?\$\{?(\w+)\}?"?/)?.[1];
+            if (!fileVar) continue;
+            for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
+              if (new RegExp(`\\b(rm|mv|cat|cp|chmod|chown)\\b.*\\$\\{?${fileVar}\\}?`).test(lines[j])) {
+                findings.push({
+                  ruleId: 'BUG-SH-006', category: 'bugs', severity: 'medium',
+                  title: 'TOCTOU race — file could change between test and use',
+                  description: 'File may be deleted/modified between the test and use. For critical operations, use atomic operations or lock files.',
+                  file: fp, line: i + 1, fix: null,
+                });
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;