getdoorman 1.0.0

package/src/tracer.js

@@ -0,0 +1,190 @@
+/**
+ * Attack path tracer — lightweight data-flow analysis to determine whether
+ * vulnerability findings are reachable from public-facing routes.
+ * Heuristic-based (regex, not AST). Supports Express, Koa, and Next.js patterns.
+ */
+
+const ROUTE_PATTERN = /(?:app|router)\.(get|post|put|delete|patch)\(\s*['"`]([^'"`]+)['"`]/g;
+const NEXTJS_HANDLER = /export\s+(?:default\s+)?(?:async\s+)?function\s+(handler|GET|POST|PUT|DELETE|PATCH)\b/g;
+
+/** Scan every file for Express / Koa / Next.js route definitions. */
+function findRoutes(files) {
+  const routes = new Map();
+  for (const [filePath, content] of files.entries()) {
+    const hits = [];
+    let m;
+    ROUTE_PATTERN.lastIndex = 0;
+    while ((m = ROUTE_PATTERN.exec(content)) !== null) {
+      const line = content.slice(0, m.index).split('\n').length;
+      hits.push({ method: m[1].toUpperCase(), path: m[2], line });
+    }
+    NEXTJS_HANDLER.lastIndex = 0;
+    while ((m = NEXTJS_HANDLER.exec(content)) !== null) {
+      const line = content.slice(0, m.index).split('\n').length;
+      const method = m[1] === 'handler' ? 'ALL' : m[1].toUpperCase();
+      const urlPath = deriveNextRoute(filePath);
+      hits.push({ method, path: urlPath, line });
+    }
+
+    // Files under pages/api or app/api are route handlers even without explicit exports
+    if (hits.length === 0 && /(?:pages|app)\/api\//.test(filePath)) {
+      hits.push({ method: 'ALL', path: deriveNextRoute(filePath), line: 1 });
+    }
+
+    if (hits.length > 0) routes.set(filePath, hits);
+  }
+  return routes;
+}
+
+function deriveNextRoute(filePath) {
+  const match = filePath.match(/(?:pages|app)(\/api\/.+?)(?:\/route)?\.\w+$/);
+  return match ? match[1].replace(/\/index$/, '') : '/api/unknown';
+}
+
+const ESM_IMPORT = /import\s+.*?from\s+['"]([^'"]+)['"]/g;
+const CJS_REQUIRE = /require\(\s*['"]([^'"]+)['"]\s*\)/g;
+
+/** Build a mapping of file -> list of files it imports (resolved to keys in `files`). */
+function buildImportGraph(files) {
+  const graph = new Map();
+  const fileKeys = [...files.keys()];
+  for (const [filePath, content] of files.entries()) {
+    const imports = new Set();
+    for (const regex of [ESM_IMPORT, CJS_REQUIRE]) {
+      regex.lastIndex = 0;
+      let m;
+      while ((m = regex.exec(content)) !== null) {
+        const specifier = m[1];
+        if (!specifier.startsWith('.')) continue;
+        const resolved = resolveSpecifier(filePath, specifier, fileKeys);
+        if (resolved) imports.add(resolved);
+      }
+    }
+
+    if (imports.size > 0) graph.set(filePath, [...imports]);
+  }
+  return graph;
+}
+
+/** Resolve a relative import specifier against the importer's directory. */
+function resolveSpecifier(importer, specifier, fileKeys) {
+  const dir = importer.includes('/') ? importer.slice(0, importer.lastIndexOf('/')) : '';
+  const base = normalizePath(`${dir}/${specifier}`);
+  const candidates = [
+    base,
+    `${base}.js`,
+    `${base}.ts`,
+    `${base}.mjs`,
+    `${base}.jsx`,
+    `${base}.tsx`,
+    `${base}/index.js`,
+    `${base}/index.ts`,
+  ];
+
+  for (const c of candidates) {
+    if (fileKeys.includes(c)) return c;
+  }
+  return null;
+}
+
+function normalizePath(p) {
+  const parts = [];
+  for (const seg of p.split('/')) {
+    if (seg === '.' || seg === '') continue;
+    if (seg === '..') { parts.pop(); continue; }
+    parts.push(seg);
+  }
+  return parts.join('/');
+}
+
+/** BFS from route files through imports (max depth 3) to find reachable files. */
+function computeReachability(routes, importGraph, maxDepth = 3) {
+  const reachable = new Map();
+  for (const [routeFile, routeList] of routes.entries()) {
+    const queue = [{ file: routeFile, depth: 0 }];
+    const visited = new Set();
+
+    while (queue.length > 0) {
+      const { file, depth } = queue.shift();
+      if (visited.has(file)) continue;
+      visited.add(file);
+
+      const existing = reachable.get(file);
+      if (!existing || existing.depth > depth) {
+        reachable.set(file, { depth, routeFile, routes: routeList });
+      }
+
+      if (depth < maxDepth) {
+        const deps = importGraph.get(file) || [];
+        for (const dep of deps) {
+          if (!visited.has(dep)) {
+            queue.push({ file: dep, depth: depth + 1 });
+          }
+        }
+      }
+    }
+  }
+
+  return reachable;
+}
+
+const SEVERITY_ORDER = ['info', 'low', 'medium', 'high', 'critical'];
+
+function bumpSeverity(severity) {
+  const idx = SEVERITY_ORDER.indexOf(severity);
+  if (idx >= 0 && idx < SEVERITY_ORDER.length - 1) {
+    return SEVERITY_ORDER[idx + 1];
+  }
+  return severity;
+}
+
+function formatRouteLabel(route, routeFile) {
+  return `${route.method} ${route.path} (${routeFile}:${route.line})`;
+}
+
+/** Trace attack paths and enrich findings with reachability data. */
+export function traceAttackPaths(findings, files, stack) {
+  if (!findings || findings.length === 0) return findings;
+
+  const routes = findRoutes(files);
+  const importGraph = buildImportGraph(files);
+  const reachable = computeReachability(routes, importGraph);
+
+  return findings.map((finding) => {
+    const file = finding.file || finding.filePath || null;
+    if (!file) {
+      return {
+        ...finding,
+        attackPath: { reachable: false, chain: [], exposure: 'unknown' },
+      };
+    }
+
+    const info = reachable.get(file);
+    if (!info) {
+      return {
+        ...finding,
+        attackPath: { reachable: false, chain: [], exposure: 'internal' },
+        note: (finding.note ? finding.note + ' | ' : '') + 'Internal only \u2014 lower risk',
+      };
+    }
+
+    // Build the chain description
+    const chain = [];
+    const routeLabel = formatRouteLabel(info.routes[0], info.routeFile);
+    chain.push(routeLabel);
+
+    if (info.depth > 0) {
+      const loc = finding.line ? `${file}:${finding.line}` : file;
+      chain.push(loc);
+    }
+
+    const exposure = info.depth === 0 ? 'direct' : 'indirect';
+    const adjustedSeverity = bumpSeverity(finding.severity || 'medium');
+
+    return {
+      ...finding,
+      severity: adjustedSeverity,
+      attackPath: { reachable: true, chain, exposure },
+    };
+  });
+}

package/src/upload.js

@@ -0,0 +1,35 @@
+/**
+ * Upload scan results to the Doorman dashboard API.
+ *
+ * This runs after every `doorman check` invocation.  If no API key is
+ * configured the call is silently skipped so it never blocks the CLI.
+ */
+
+export async function uploadScan(targetPath, scanResult, options = {}) {
+  const apiKey = process.env.DOORMAN_API_KEY || options.apiKey;
+  const endpoint = (
+    process.env.DOORMAN_API_URL || options.apiUrl || 'https://api.doorman.dev'
+  ).replace(/\/+$/, '');
+
+  if (!apiKey) return null; // Silent skip — no key configured
+
+  try {
+    const res = await fetch(`${endpoint}/api/scans`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'x-api-key': apiKey,
+      },
+      body: JSON.stringify({
+        score: scanResult.score,
+        findings: scanResult.findings,
+        stack: scanResult.stack,
+        fileCount: scanResult.fileCount || 0,
+      }),
+      signal: AbortSignal.timeout(5000),
+    });
+    return res.ok;
+  } catch {
+    return false; // Never block the CLI
+  }
+}

package/src/worker.js

@@ -0,0 +1,31 @@
+import { parentPort, workerData } from 'worker_threads';
+
+const { ruleModulePath, ruleIds, filesEntries, stack } = workerData;
+
+async function run() {
+  try {
+    const mod = await import(ruleModulePath);
+    const allRules = mod.default;
+    const assignedRules = allRules.filter(r => ruleIds.includes(r.id));
+
+    const files = new Map(filesEntries);
+    const context = { files, stack };
+    const findings = [];
+
+    for (const rule of assignedRules) {
+      try {
+        const result = await rule.check(context);
+        if (Array.isArray(result)) findings.push(...result);
+      } catch (e) {
+        // Log failed rules for debugging, but continue scanning
+        console.warn(`[worker] Rule "${rule.id || rule.name || 'unknown'}" failed: ${e.message}`);
+      }
+    }
+
+    parentPort.postMessage({ findings });
+  } catch (e) {
+    parentPort.postMessage({ findings: [], error: e.message });
+  }
+}
+
+run();