npm - getdoorman - Versions diffs - 1.0.0 - Mend

getdoorman 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

package/LICENSE +21 -0
package/README.md +181 -0
package/bin/doorman.js +444 -0
package/package.json +74 -0
package/src/ai-fixer.js +559 -0
package/src/ast-scanner.js +434 -0
package/src/auth.js +149 -0
package/src/baseline.js +48 -0
package/src/compliance.js +539 -0
package/src/config.js +466 -0
package/src/custom-rules.js +32 -0
package/src/dashboard.js +202 -0
package/src/detector.js +142 -0
package/src/fix-engine.js +48 -0
package/src/fix-registry-extra.js +95 -0
package/src/fix-registry-go-rust.js +77 -0
package/src/fix-registry-java-csharp.js +77 -0
package/src/fix-registry-js.js +99 -0
package/src/fix-registry-mcp-ai.js +57 -0
package/src/fix-registry-python.js +87 -0
package/src/fixer-ruby-php.js +608 -0
package/src/fixer.js +2113 -0
package/src/hooks.js +115 -0
package/src/ignore.js +176 -0
package/src/index.js +384 -0
package/src/metrics.js +126 -0
package/src/monorepo.js +65 -0
package/src/presets.js +54 -0
package/src/reporter.js +975 -0
package/src/rule-worker.js +36 -0
package/src/rules/ast-rules.js +756 -0
package/src/rules/bugs/accessibility.js +235 -0
package/src/rules/bugs/ai-codegen-fixable.js +172 -0
package/src/rules/bugs/ai-codegen.js +365 -0
package/src/rules/bugs/code-smell-bugs.js +247 -0
package/src/rules/bugs/crypto-bugs.js +195 -0
package/src/rules/bugs/docker-bugs.js +158 -0
package/src/rules/bugs/general.js +361 -0
package/src/rules/bugs/go-bugs.js +279 -0
package/src/rules/bugs/index.js +73 -0
package/src/rules/bugs/js-api.js +257 -0
package/src/rules/bugs/js-array-object.js +210 -0
package/src/rules/bugs/js-async-fixable.js +223 -0
package/src/rules/bugs/js-async.js +211 -0
package/src/rules/bugs/js-closure-scope.js +182 -0
package/src/rules/bugs/js-database.js +203 -0
package/src/rules/bugs/js-error-handling.js +148 -0
package/src/rules/bugs/js-logic.js +261 -0
package/src/rules/bugs/js-memory.js +214 -0
package/src/rules/bugs/js-node.js +361 -0
package/src/rules/bugs/js-react.js +373 -0
package/src/rules/bugs/js-regex.js +200 -0
package/src/rules/bugs/js-state.js +272 -0
package/src/rules/bugs/js-type-coercion.js +318 -0
package/src/rules/bugs/nextjs-bugs.js +242 -0
package/src/rules/bugs/nextjs-fixable.js +120 -0
package/src/rules/bugs/node-fixable.js +178 -0
package/src/rules/bugs/python-advanced.js +245 -0
package/src/rules/bugs/python-fixable.js +98 -0
package/src/rules/bugs/python.js +284 -0
package/src/rules/bugs/react-fixable.js +207 -0
package/src/rules/bugs/ruby-bugs.js +182 -0
package/src/rules/bugs/shell-bugs.js +181 -0
package/src/rules/bugs/silent-failures.js +261 -0
package/src/rules/bugs/ts-bugs.js +235 -0
package/src/rules/bugs/unused-vars.js +65 -0
package/src/rules/compliance/accessibility-ext.js +468 -0
package/src/rules/compliance/education.js +322 -0
package/src/rules/compliance/financial.js +421 -0
package/src/rules/compliance/frameworks.js +507 -0
package/src/rules/compliance/healthcare.js +520 -0
package/src/rules/compliance/index.js +2714 -0
package/src/rules/compliance/regional-eu.js +480 -0
package/src/rules/compliance/regional-international.js +903 -0
package/src/rules/cost/index.js +1993 -0
package/src/rules/data/index.js +2503 -0
package/src/rules/dependencies/index.js +1684 -0
package/src/rules/deployment/index.js +2050 -0
package/src/rules/index.js +71 -0
package/src/rules/infrastructure/index.js +3048 -0
package/src/rules/performance/index.js +3455 -0
package/src/rules/quality/index.js +3175 -0
package/src/rules/reliability/index.js +3040 -0
package/src/rules/scope-rules.js +815 -0
package/src/rules/security/ai-api.js +1177 -0
package/src/rules/security/auth.js +1328 -0
package/src/rules/security/cors.js +127 -0
package/src/rules/security/crypto.js +527 -0
package/src/rules/security/csharp.js +862 -0
package/src/rules/security/csrf.js +193 -0
package/src/rules/security/dart.js +835 -0
package/src/rules/security/deserialization.js +291 -0
package/src/rules/security/file-upload.js +187 -0
package/src/rules/security/go.js +850 -0
package/src/rules/security/headers.js +235 -0
package/src/rules/security/index.js +65 -0
package/src/rules/security/injection.js +1639 -0
package/src/rules/security/mcp-server.js +71 -0
package/src/rules/security/misconfiguration.js +660 -0
package/src/rules/security/oauth-jwt.js +329 -0
package/src/rules/security/path-traversal.js +295 -0
package/src/rules/security/php.js +1054 -0
package/src/rules/security/prototype-pollution.js +283 -0
package/src/rules/security/rate-limiting.js +208 -0
package/src/rules/security/ruby.js +1061 -0
package/src/rules/security/rust.js +693 -0
package/src/rules/security/secrets.js +747 -0
package/src/rules/security/shell.js +647 -0
package/src/rules/security/ssrf.js +298 -0
package/src/rules/security/supply-chain-advanced.js +393 -0
package/src/rules/security/supply-chain.js +734 -0
package/src/rules/security/swift.js +835 -0
package/src/rules/security/taint.js +27 -0
package/src/rules/security/xss.js +520 -0
package/src/scan-cache.js +71 -0
package/src/scanner.js +710 -0
package/src/scope-analyzer.js +685 -0
package/src/share.js +88 -0
package/src/taint.js +300 -0
package/src/telemetry.js +183 -0
package/src/tracer.js +190 -0
package/src/upload.js +35 -0
package/src/worker.js +31 -0

package/src/rules/security/headers.js ADDED Viewed

@@ -0,0 +1,235 @@
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+const rules = [
+  // SEC-HDR-001
+  {
+    id: 'SEC-HDR-001', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Missing Content-Security-Policy header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const hasCSP = [...files.values()].some(c =>
+        c.includes('Content-Security-Policy') || c.includes('contentSecurityPolicy')
+      );
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!hasCSP && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-001', category: 'security', severity: 'high',
+          title: 'No Content-Security-Policy header — XSS attacks not mitigated',
+          description: 'CSP restricts which scripts can run on your page, preventing XSS.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-002
+  {
+    id: 'SEC-HDR-002', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Missing X-Content-Type-Options header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c => c.includes('X-Content-Type-Options') || c.includes('nosniff'));
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!has && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-002', category: 'security', severity: 'medium',
+          title: 'Missing X-Content-Type-Options: nosniff header',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-003
+  {
+    id: 'SEC-HDR-003', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Missing X-Frame-Options header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c => c.includes('X-Frame-Options') || c.includes('frameguard'));
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!has && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-003', category: 'security', severity: 'medium',
+          title: 'Missing X-Frame-Options header — clickjacking possible',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-004
+  {
+    id: 'SEC-HDR-004', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'Missing Strict-Transport-Security header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c => c.includes('Strict-Transport-Security') || c.includes('hsts'));
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!has && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-004', category: 'security', severity: 'high',
+          title: 'Missing HSTS header — HTTPS downgrade attacks possible',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-005
+  {
+    id: 'SEC-HDR-005', category: 'security', severity: 'low', confidence: 'suggestion',
+    title: 'Missing X-XSS-Protection header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c => c.includes('X-XSS-Protection'));
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!has && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-005', category: 'security', severity: 'low',
+          title: 'Missing X-XSS-Protection header (legacy browser protection)',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-006
+  {
+    id: 'SEC-HDR-006', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Missing Referrer-Policy header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c => c.includes('Referrer-Policy') || c.includes('referrerPolicy'));
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!has && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-006', category: 'security', severity: 'medium',
+          title: 'Missing Referrer-Policy — URLs leaked to third parties via referrer',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-007
+  {
+    id: 'SEC-HDR-007', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Missing Permissions-Policy header',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      const has = [...files.values()].some(c =>
+        c.includes('Permissions-Policy') || c.includes('Feature-Policy') || c.includes('permissionsPolicy')
+      );
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      if (!has && !hasHelmet) {
+        findings.push({
+          ruleId: 'SEC-HDR-007', category: 'security', severity: 'medium',
+          title: 'Missing Permissions-Policy — browser features (camera, mic, location) not restricted',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-008
+  {
+    id: 'SEC-HDR-008', category: 'security', severity: 'low', confidence: 'suggestion',
+    title: 'Server header exposes version info',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        if (content.match(/(?:res|response)\.(?:setHeader|set)\s*\(\s*['"]Server['"]/i)) {
+          findings.push({
+            ruleId: 'SEC-HDR-008', category: 'security', severity: 'low',
+            title: 'Server header set — may expose server technology and version',
+            file: fp, fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-009
+  {
+    id: 'SEC-HDR-009', category: 'security', severity: 'low', confidence: 'suggestion',
+    title: 'X-Powered-By header exposed',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.framework !== 'express') return findings;
+      const hasHelmet = 'helmet' in (stack.dependencies || {});
+      const disablesPoweredBy = [...files.values()].some(c =>
+        c.includes('x-powered-by') || c.includes('X-Powered-By') || c.includes('hidePoweredBy') || c.includes("disable('x-powered-by')")
+      );
+      if (!hasHelmet && !disablesPoweredBy) {
+        findings.push({
+          ruleId: 'SEC-HDR-009', category: 'security', severity: 'low',
+          title: 'Express X-Powered-By header reveals technology stack',
+          description: 'Use app.disable("x-powered-by") or helmet to remove it.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-010
+  {
+    id: 'SEC-HDR-010', category: 'security', severity: 'medium', confidence: 'likely',
+    title: 'Insecure CSP with unsafe-inline/unsafe-eval',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (!isJS(fp)) continue;
+        if (content.includes('Content-Security-Policy') || content.includes('contentSecurityPolicy')) {
+          if (content.includes("'unsafe-inline'") || content.includes("'unsafe-eval'")) {
+            findings.push({
+              ruleId: 'SEC-HDR-010', category: 'security', severity: 'medium',
+              title: 'CSP includes unsafe-inline or unsafe-eval — weakens XSS protection',
+              file: fp, fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // SEC-HDR-011
+  {
+    id: 'SEC-HDR-011', category: 'security', severity: 'high', confidence: 'likely',
+    title: 'No helmet.js in Express app',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.framework !== 'express') return findings;
+      if (!('helmet' in (stack.dependencies || {}))) {
+        findings.push({
+          ruleId: 'SEC-HDR-011', category: 'security', severity: 'high',
+          title: 'Express app without helmet middleware — no security headers set',
+          description: 'Install and use helmet to automatically set security headers.',
+          fix: null,
+        });
+      }
+      return findings;
+    },
+  },
+];
+export default rules;

package/src/rules/security/index.js ADDED Viewed

@@ -0,0 +1,65 @@
+import injectionRules from './injection.js';
+import xssRules from './xss.js';
+import csrfRules from './csrf.js';
+import headersRules from './headers.js';
+import corsRules from './cors.js';
+import rateLimitingRules from './rate-limiting.js';
+import fileUploadRules from './file-upload.js';
+import cryptoRules from './crypto.js';
+import secretsRules from './secrets.js';
+import misconfigRules from './misconfiguration.js';
+import authRules from './auth.js';
+import supplyChainRules from './supply-chain.js';
+import taintRules from './taint.js';
+import prototypePollutionRules from './prototype-pollution.js';
+import ssrfRules from './ssrf.js';
+import deserializationRules from './deserialization.js';
+import pathTraversalRules from './path-traversal.js';
+import oauthJwtRules from './oauth-jwt.js';
+import supplyChainAdvancedRules from './supply-chain-advanced.js';
+import goRules from './go.js';
+import rustRules from './rust.js';
+import csharpRules from './csharp.js';
+import swiftRules from './swift.js';
+import dartRules from './dart.js';
+import shellRules from './shell.js';
+import rubyRules from './ruby.js';
+import phpRules from './php.js';
+import scopeRules from '../scope-rules.js';
+import mcpServerRules from './mcp-server.js';
+import aiApiRules from './ai-api.js';
+const rules = [
+  ...injectionRules,
+  ...xssRules,
+  ...csrfRules,
+  ...headersRules,
+  ...corsRules,
+  ...rateLimitingRules,
+  ...fileUploadRules,
+  ...cryptoRules,
+  ...secretsRules,
+  ...misconfigRules,
+  ...authRules,
+  ...supplyChainRules,
+  ...taintRules,
+  ...prototypePollutionRules,
+  ...ssrfRules,
+  ...deserializationRules,
+  ...pathTraversalRules,
+  ...oauthJwtRules,
+  ...supplyChainAdvancedRules,
+  ...goRules,
+  ...rustRules,
+  ...csharpRules,
+  ...swiftRules,
+  ...dartRules,
+  ...shellRules,
+  ...rubyRules,
+  ...phpRules,
+  ...scopeRules,
+  ...mcpServerRules,
+  ...aiApiRules,
+];
+export default rules;