getdoorman 1.0.0

package/src/rules/security/taint.js

@@ -0,0 +1,27 @@
+/**
+ * Taint analysis rules — wraps src/taint.js into the standard rule format.
+ *
+ * These rules detect INDIRECT injection paths: user input flows through one
+ * or more variable assignments before reaching a dangerous sink. Direct paths
+ * (e.g. exec(req.query.x)) are already caught by the pattern-matching rules.
+ *
+ * Rule IDs: TAINT-CMD-001, TAINT-SQL-001, TAINT-EVAL-001, TAINT-XSS-001,
+ *           TAINT-PATH-001, TAINT-REDIR-001, TAINT-REQUIRE-001
+ */
+
+import { runTaintAnalysis } from '../../taint.js';
+
+const rules = [
+  {
+    id: 'TAINT-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'Data Flow / Taint Analysis — Indirect Injection',
+    check({ files }) {
+      return runTaintAnalysis(files);
+    },
+  },
+];
+
+export default rules;

package/src/rules/security/xss.js

@@ -0,0 +1,520 @@
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+
+function shouldSkip(filepath, line) {
+  if (/[/\\](test|mock|fixture|__test__|__mock__|__fixture__|\.test\.|\.spec\.|\.mock\.)/.test(filepath)) return true;
+  if (line.trimStart().startsWith('//') || line.trimStart().startsWith('*') || line.trimStart().startsWith('/*')) return true;
+  return false;
+}
+
+const rules = [
+  // SEC-XSS-001: innerHTML/outerHTML/insertAdjacentHTML usage
+  {
+    id: 'SEC-XSS-001',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'innerHTML/outerHTML/insertAdjacentHTML usage (XSS risk)',
+    check({ files }) {
+      const findings = [];
+      const pattern = /\.(innerHTML|outerHTML)\s*=|\.insertAdjacentHTML\s*\(/;
+      // Only flag when the RHS looks like a variable/expression, not a static string literal
+      const staticRhsPattern = /\.(innerHTML|outerHTML)\s*=\s*'[^']*'|\.innerHTML\s*=\s*"[^"]*"|\.innerHTML\s*=\s*`[^`$]*`/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          if (pattern.test(lines[i]) && !staticRhsPattern.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-001',
+              category: 'security',
+              severity: 'high',
+              confidence: 'likely',
+              title: 'Direct DOM HTML injection via innerHTML/outerHTML/insertAdjacentHTML',
+              description: 'Assigning unsanitized content to innerHTML, outerHTML, or insertAdjacentHTML can lead to XSS. Use textContent or a sanitization library like DOMPurify.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-002: React dangerouslySetInnerHTML
+  {
+    id: 'SEC-XSS-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'React dangerouslySetInnerHTML usage',
+    check({ files }) {
+      const findings = [];
+      const pattern = /dangerouslySetInnerHTML\s*=\s*\{\s*\{/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          if ((pattern.test(lines[i]) || /dangerouslySetInnerHTML/.test(lines[i])) &&
+              !/DOMPurify\.sanitize|sanitizeHtml|xss\s*\(|escape\s*\(/.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-002',
+              category: 'security',
+              severity: 'high',
+              confidence: 'likely',
+              title: 'dangerouslySetInnerHTML renders raw HTML — XSS risk',
+              description: 'dangerouslySetInnerHTML bypasses React\'s XSS protections. Sanitize the HTML with DOMPurify before rendering.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-003: Vue v-html directive
+  {
+    id: 'SEC-XSS-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Vue v-html directive usage',
+    check({ files }) {
+      const findings = [];
+      const pattern = /v-html\s*=/;
+
+      for (const [filepath, content] of files) {
+        if (!filepath.endsWith('.vue') && !isJS(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          if (pattern.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-003',
+              category: 'security',
+              severity: 'high',
+              confidence: 'likely',
+              title: 'Vue v-html renders raw HTML — XSS risk',
+              description: 'v-html renders unescaped HTML and can lead to XSS. Use v-text or sanitize the content before rendering.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-004: Angular bypassSecurityTrust*
+  {
+    id: 'SEC-XSS-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Angular bypassSecurityTrust* usage',
+    check({ files }) {
+      const findings = [];
+      const pattern = /bypassSecurityTrust(Html|Script|Style|Url|ResourceUrl)\s*\(/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          if (pattern.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-004',
+              category: 'security',
+              severity: 'high',
+              confidence: 'likely',
+              title: 'Angular security bypass via bypassSecurityTrust*',
+              description: 'bypassSecurityTrust* disables Angular\'s built-in sanitization. Ensure the input is trusted and already sanitized.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-005: Unescaped template output
+  {
+    id: 'SEC-XSS-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Unescaped template output',
+    check({ files }) {
+      const findings = [];
+      const patterns = [
+        { regex: /<%-.+?%>/, name: 'EJS unescaped output (<%-)', },
+        { regex: /\{!!.+?!!\}/, name: 'Blade unescaped output ({!! !!})' },
+        { regex: /\|\s*safe\b/, name: 'Jinja/Nunjucks |safe filter' },
+      ];
+
+      for (const [filepath, content] of files) {
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          for (const { regex, name } of patterns) {
+            if (regex.test(lines[i])) {
+              findings.push({
+                ruleId: 'SEC-XSS-005',
+                category: 'security',
+                severity: 'high',
+                confidence: 'likely',
+                title: `Unescaped template output: ${name}`,
+                description: 'Unescaped template output renders raw HTML and can lead to XSS. Use escaped output or sanitize the data.',
+                file: filepath,
+                line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-006: document.write/document.writeln
+  {
+    id: 'SEC-XSS-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'document.write/document.writeln usage',
+    check({ files }) {
+      const findings = [];
+      const pattern = /document\.write(ln)?\s*\(/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          if (pattern.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-006',
+              category: 'security',
+              severity: 'high',
+              confidence: 'likely',
+              title: 'document.write/writeln used — XSS risk',
+              description: 'document.write injects raw HTML into the page and is a known XSS vector. Use DOM APIs like createElement instead.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-007: javascript: in href/src attributes
+  {
+    id: 'SEC-XSS-007',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'javascript: protocol in href/src attributes',
+    check({ files }) {
+      const findings = [];
+      // Exclude javascript:void(0) and javascript:; which are legitimate placeholders
+      const pattern = /(?:href|src|action)\s*=\s*['"`]?\s*javascript\s*:(?!void\s*\(0\)|;|void\(0\))/i;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath) && !filepath.endsWith('.html') && !filepath.endsWith('.vue')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (shouldSkip(filepath, lines[i])) continue;
+          if (pattern.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-007',
+              category: 'security',
+              severity: 'critical',
+              confidence: 'definite',
+              title: 'javascript: protocol in href/src — XSS risk',
+              description: 'Using javascript: in href or src attributes allows script execution. Validate and sanitize all URLs.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-008: Database content rendered without escaping
+  {
+    id: 'SEC-XSS-008',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Database content rendered without escaping',
+    check({ files }) {
+      const findings = [];
+      const pattern = /\{\s*(?:data|record|row|result|item|entry|doc|document|user|post|comment)\.(?:html|content|body|description|bio|message|text|markup|template|richText|htmlContent)\s*\}/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath) && !filepath.endsWith('.vue')) continue;
+        if (shouldSkip(filepath, '')) continue;
+        // JSX files (.jsx/.tsx) auto-escape {} expressions — React handles XSS protection
+        if (filepath.endsWith('.jsx') || filepath.endsWith('.tsx')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trimStart().startsWith('//') || lines[i].trimStart().startsWith('*')) continue;
+          if (pattern.test(lines[i])) {
+            // Skip if it's already inside dangerouslySetInnerHTML (caught by SEC-XSS-002)
+            if (/dangerouslySetInnerHTML/.test(lines[i])) continue;
+            findings.push({
+              ruleId: 'SEC-XSS-008',
+              category: 'security',
+              severity: 'medium',
+              confidence: 'likely',
+              title: 'Database content rendered without explicit escaping',
+              description: 'Rendering database-sourced HTML content directly in templates may lead to stored XSS. Sanitize with DOMPurify or similar.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-009: SVG file upload without sanitization
+  {
+    id: 'SEC-XSS-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'SVG file upload without sanitization',
+    check({ files }) {
+      const findings = [];
+      const uploadPattern = /(?:upload|multer|formidable|busboy|multipart)/i;
+      const svgAllowPattern = /(?:image\/svg|\.svg|svg\+xml|'svg'|"svg")/i;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        if (shouldSkip(filepath, '')) continue;
+        if (!uploadPattern.test(content)) continue;
+        if (!svgAllowPattern.test(content)) continue;
+
+        // Check if there is any SVG sanitization
+        const hasSanitization = /(?:DOMPurify|sanitize-svg|svg-sanitizer|sanitizeSvg|sanitize\s*\(|clean\s*\()/i.test(content);
+        if (!hasSanitization) {
+          findings.push({
+            ruleId: 'SEC-XSS-009',
+            category: 'security',
+            severity: 'medium',
+            confidence: 'likely',
+            title: 'SVG upload accepted without sanitization',
+            description: 'SVG files can contain embedded JavaScript. Sanitize uploaded SVGs to strip script elements and event handlers.',
+            file: filepath,
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-010: Missing Content-Security-Policy
+  {
+    id: 'SEC-XSS-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Missing Content-Security-Policy',
+    check({ files, stack }) {
+      const findings = [];
+      const deps = stack.dependencies || {};
+
+      // Check for helmet usage
+      const hasHelmet = 'helmet' in deps;
+      if (hasHelmet) return findings;
+
+      // Check for CSP header set manually in any file
+      let hasCsp = false;
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        if (/Content-Security-Policy/i.test(content) || /\.contentSecurityPolicy\s*\(/.test(content) || /csp\s*[:=]/i.test(content)) {
+          hasCsp = true;
+          break;
+        }
+      }
+
+      if (!hasCsp) {
+        // Only report if there are server-side files
+        const hasServer = [...files.keys()].some(f =>
+          isJS(f) && (/server|app|index|middleware|routes/i.test(f))
+        );
+        if (hasServer) {
+          findings.push({
+            ruleId: 'SEC-XSS-010',
+            category: 'security',
+            severity: 'medium',
+            confidence: 'likely',
+            title: 'No Content-Security-Policy header configured',
+            description: 'CSP is a critical defense against XSS attacks. Use the helmet package or set the Content-Security-Policy header manually.',
+            fix: null,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-011: window.location/URL params used in DOM
+  {
+    id: 'SEC-XSS-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'URL parameters used in DOM manipulation',
+    check({ files }) {
+      const findings = [];
+      const sourcePattern = /(?:window\.location|location\.(?:search|hash|href)|URLSearchParams|url\.searchParams|document\.URL|document\.referrer|document\.documentURI)/;
+      const sinkPattern = /(?:innerHTML|outerHTML|document\.write|\.html\s*\(|insertAdjacentHTML|\$\s*\()/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        if (shouldSkip(filepath, '')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trimStart().startsWith('//') || lines[i].trimStart().startsWith('*')) continue;
+          if (sourcePattern.test(lines[i]) && sinkPattern.test(lines[i])) {
+            findings.push({
+              ruleId: 'SEC-XSS-011',
+              category: 'security',
+              severity: 'high',
+              confidence: 'likely',
+              title: 'URL/location parameters used directly in DOM sink',
+              description: 'User-controlled URL parameters written to innerHTML or similar DOM sinks enable DOM-based XSS. Sanitize all URL-derived data before DOM insertion.',
+              file: filepath,
+              line: i + 1,
+              fix: null,
+            });
+          }
+        }
+
+        // Also detect across nearby lines (source on one line, sink within 5 lines)
+        const lines2 = content.split('\n');
+        for (let i = 0; i < lines2.length; i++) {
+          if (lines2[i].trimStart().startsWith('//') || lines2[i].trimStart().startsWith('*')) continue;
+          if (sourcePattern.test(lines2[i])) {
+            for (let j = i + 1; j < Math.min(i + 6, lines2.length); j++) {
+              if (sinkPattern.test(lines2[j])) {
+                // Avoid duplicate if same line was already caught
+                if (j !== i) {
+                  findings.push({
+                    ruleId: 'SEC-XSS-011',
+                    category: 'security',
+                    severity: 'high',
+                    confidence: 'likely',
+                    title: 'URL/location parameters flow into DOM sink nearby',
+                    description: 'User-controlled URL parameters flow into an unsafe DOM sink within a few lines. Sanitize or encode all URL-derived values.',
+                    file: filepath,
+                    line: i + 1,
+                    fix: null,
+                  });
+                }
+                break;
+              }
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-XSS-012: postMessage without origin validation
+  {
+    id: 'SEC-XSS-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'postMessage without origin validation',
+    check({ files }) {
+      const findings = [];
+      const listenerPattern = /addEventListener\s*\(\s*['"]message['"]/;
+      const originCheckPattern = /(?:event|e|evt|msg)\.origin\s*[!=]==?\s*['"`]/;
+
+      for (const [filepath, content] of files) {
+        if (!isJS(filepath)) continue;
+        if (shouldSkip(filepath, '')) continue;
+        if (!listenerPattern.test(content)) continue;
+
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].trimStart().startsWith('//') || lines[i].trimStart().startsWith('*')) continue;
+          if (listenerPattern.test(lines[i])) {
+            // Look ahead up to 15 lines for an origin check
+            let hasOriginCheck = false;
+            for (let j = i; j < Math.min(i + 16, lines.length); j++) {
+              if (originCheckPattern.test(lines[j]) || /\.origin/.test(lines[j])) {
+                hasOriginCheck = true;
+                break;
+              }
+            }
+            if (!hasOriginCheck) {
+              findings.push({
+                ruleId: 'SEC-XSS-012',
+                category: 'security',
+                severity: 'high',
+                confidence: 'likely',
+                title: 'postMessage listener without origin validation',
+                description: 'Always validate event.origin in message event handlers to prevent cross-origin attacks. Check origin against a trusted allowlist.',
+                file: filepath,
+                line: i + 1,
+                fix: null,
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  // SEC-XSS-013: Server-side reflected XSS via res.send/res.write
+  { id: 'SEC-XSS-013', category: 'security', severity: 'critical', confidence: 'definite', title: 'Server-Side Reflected XSS via res.send()',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!['.js', '.ts', '.mjs', '.cjs'].some(e => fp.endsWith(e))) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/res\.(send|write)\s*\(/) && !lines[i].match(/\/\//)) {
+            if (lines[i].match(/req\.(query|body|params)\.\w+|req\.query\b|req\.body\b|req\.params\b/)) {
+              findings.push({ ruleId: 'SEC-XSS-013', category: 'security', severity: 'critical', title: 'Reflected XSS: user input directly sent in HTTP response', description: 'Use res.json() for API responses or sanitize HTML with DOMPurify/sanitize-html. Sending unsanitized user input in res.send() causes reflected XSS.', file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/scan-cache.js

@@ -0,0 +1,71 @@
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from 'fs';
+import { join } from 'path';
+
+const CACHE_DIR = '.doorman';
+const CACHE_FILE = 'last-scan.json';
+
+/**
+ * Save scan results to cache for incremental merging and instant fix.
+ */
+export function saveScanCache(targetPath, findings, stack, score) {
+  const dir = join(targetPath, CACHE_DIR);
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+
+  const cache = {
+    timestamp: new Date().toISOString(),
+    score,
+    stack,
+    findings: findings.map(f => ({
+      ruleId: f.ruleId,
+      category: f.category,
+      severity: f.severity,
+      title: f.title,
+      file: f.file,
+      line: f.line,
+      confidence: f.confidence,
+      fix: f.fix,
+      description: f.description,
+    })),
+  };
+
+  writeFileSync(join(dir, CACHE_FILE), JSON.stringify(cache, null, 2));
+}
+
+/**
+ * Load cached scan results.
+ */
+export function loadScanCache(targetPath) {
+  const cachePath = join(targetPath, CACHE_DIR, CACHE_FILE);
+  if (!existsSync(cachePath)) return null;
+  try {
+    return JSON.parse(readFileSync(cachePath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Merge incremental scan results with cached results.
+ * Replaces cached findings for files that were re-scanned,
+ * keeps cached findings for files that weren't.
+ */
+export function mergeWithCache(targetPath, newFindings, scannedFiles) {
+  const cache = loadScanCache(targetPath);
+  if (!cache || !cache.findings) return newFindings;
+
+  // Files that were scanned — their findings are fresh
+  const scannedFileSet = new Set(scannedFiles);
+
+  // Keep cached findings for files NOT in this scan
+  const keptFromCache = cache.findings.filter(f =>
+    f.file && !scannedFileSet.has(f.file)
+  );
+
+  // Also keep project-level findings (no file) from cache if no new ones replace them
+  const newRuleIds = new Set(newFindings.map(f => f.ruleId));
+  const keptProjectLevel = cache.findings.filter(f =>
+    !f.file && !newRuleIds.has(f.ruleId)
+  );
+
+  return [...newFindings, ...keptFromCache, ...keptProjectLevel];
+}