getdoorman 1.0.0

package/src/fixer-ruby-php.js

@@ -0,0 +1,608 @@
+// ---------------------------------------------------------------------------
+// Ruby & PHP auto-fix transforms  (70 total: 35 Ruby + 35 PHP)
+// ---------------------------------------------------------------------------
+// Each fix function takes a content string and returns the modified string,
+// or null if the fix could not be applied.
+//
+// R1-R10 and P1-P10 are re-exported from fixer.js so that this module is the
+// single source of truth for all Ruby and PHP fixes.
+// ---------------------------------------------------------------------------
+
+import {
+  fixRubyFindBySql,
+  fixRubyHtmlSafe,
+  fixRubySystemCall,
+  fixRubyYamlLoad,
+  fixRubyMarshalLoad,
+  fixRubyPermitAll,
+  fixRubySkipCsrf,
+  fixRubyEval as fixRubyEvalInput,
+  fixRubyOpenUri,
+  fixRubyWeakHash,
+  fixPhpMysqlQuery,
+  fixPhpEcho as fixPhpEchoUnsafe,
+  fixPhpEval,
+  fixPhpExec as fixPhpExecInput,
+  fixPhpMd5Password,
+  fixPhpExtract as fixPhpExtractPost,
+  fixPhpLooseComparison,
+  fixPhpSessionConfig,
+  fixPhpUnserialize,
+  fixPhpInclude as fixPhpIncludeInput,
+} from './fixer.js';
+
+// Re-export the imported fixes so consumers get everything from this module
+export {
+  fixRubyFindBySql,
+  fixRubyHtmlSafe,
+  fixRubySystemCall,
+  fixRubyYamlLoad,
+  fixRubyMarshalLoad,
+  fixRubyPermitAll,
+  fixRubySkipCsrf,
+  fixRubyEvalInput,
+  fixRubyOpenUri,
+  fixRubyWeakHash,
+  fixPhpMysqlQuery,
+  fixPhpEchoUnsafe,
+  fixPhpEval,
+  fixPhpExecInput,
+  fixPhpMd5Password,
+  fixPhpExtractPost,
+  fixPhpLooseComparison,
+  fixPhpSessionConfig,
+  fixPhpUnserialize,
+  fixPhpIncludeInput,
+};
+
+// ===========================================================================
+// Ruby fixes (R11 – R35)
+// ===========================================================================
+
+// R11. Replace hardcoded secret with ENV lookup
+export function fixRubyHardcodedSecret(content) {
+  const modified = content.replace(
+    /(\w*secret\w*)\s*=\s*["']([^"']{8,})["']/gi,
+    "$1 = ENV['SECRET'] # TODO: set SECRET in environment",
+  );
+  return modified === content ? null : modified;
+}
+
+// R12. Add strong params wrapper where params used directly
+export function fixRubyNoStrongParams(content) {
+  const modified = content.replace(
+    /(\w+)\.create\(\s*params\s*\)/g,
+    "$1.create(permitted_params) # TODO: define permitted_params via params.require(...).permit(...)",
+  );
+  return modified === content ? null : modified;
+}
+
+// R13. Replace raw output with h() helper
+export function fixRubyRawOutput(content) {
+  const modified = content.replace(
+    /<%=\s*raw\s+(\w+)\s*%>/g,
+    '<%= h($1) %>',
+  );
+  return modified === content ? null : modified;
+}
+
+// R14. Add Shellwords.shellescape to exec input
+export function fixRubyExecInput(content) {
+  const modified = content.replace(
+    /`([^`]*?)#\{(\w+)\}([^`]*?)`/g,
+    '`$1#{Shellwords.shellescape($2)}$3`',
+  );
+  return modified === content ? null : modified;
+}
+
+// R15. Replace backticks command with Open3.capture3
+export function fixRubyBackticksInput(content) {
+  const modified = content.replace(
+    /(\w+)\s*=\s*`([^`]+)`/g,
+    '$1_out, $1_err, $1_status = Open3.capture3("$2")',
+  );
+  return modified === content ? null : modified;
+}
+
+// R16. Replace send() with public_send()
+export function fixRubySendUnsafe(content) {
+  const modified = content.replace(
+    /\.send\(/g,
+    '.public_send(',
+  );
+  return modified === content ? null : modified;
+}
+
+// R17. Add whitelist check to const_get
+export function fixRubyConstGet(content) {
+  const modified = content.replace(
+    /const_get\((\w+)\)/g,
+    'const_get($1) # SECURITY: validate $1 against an allowlist before calling const_get',
+  );
+  return modified === content ? null : modified;
+}
+
+// R18. Add timeout to HTTP requests
+export function fixRubyNoTimeout(content) {
+  const modified = content.replace(
+    /Net::HTTP\.get\(([^)]+)\)/g,
+    'Net::HTTP.start($1, open_timeout: 10, read_timeout: 10) { |http| http.get($1) }',
+  );
+  return modified === content ? null : modified;
+}
+
+// R19. Replace VERIFY_NONE with VERIFY_PEER
+export function fixRubyInsecureSsl(content) {
+  const modified = content.replace(
+    /OpenSSL::SSL::VERIFY_NONE/g,
+    'OpenSSL::SSL::VERIFY_PEER',
+  );
+  return modified === content ? null : modified;
+}
+
+// R20. Add Rails.logger where puts used in controllers
+export function fixRubyNoLogging(content) {
+  if (!/class\s+\w+Controller/.test(content)) return null;
+  const modified = content.replace(
+    /\bputs\s+/g,
+    'Rails.logger.info ',
+  );
+  return modified === content ? null : modified;
+}
+
+// R21. Replace hardcoded DB credentials with database.yml reference
+export function fixRubyHardcodedDb(content) {
+  const modified = content.replace(
+    /((?:password|passwd|db_pass)\s*[:=]\s*)["']([^"']+)["']/gi,
+    "$1ENV['DATABASE_PASSWORD'] # TODO: move credential to database.yml / Rails credentials",
+  );
+  return modified === content ? null : modified;
+}
+
+// R22. Replace hardcoded session secret with credentials.yml
+export function fixRubySessionSecret(content) {
+  const modified = content.replace(
+    /(secret_key_base\s*=\s*)["']([^"']+)["']/g,
+    "$1Rails.application.credentials.secret_key_base",
+  );
+  return modified === content ? null : modified;
+}
+
+// R23. Add rack-attack rate limiting comment
+export function fixRubyNoRateLimit(content) {
+  if (!/class\s+\w+Controller/.test(content)) return null;
+  if (/rack.attack|throttle|rate.limit/i.test(content)) return null;
+  const modified = content.replace(
+    /(class\s+\w+Controller\s*<\s*\w+)/,
+    "# TODO: add Rack::Attack throttle rules for rate limiting\n$1",
+  );
+  return modified === content ? null : modified;
+}
+
+// R24. Sanitize path in File.read
+export function fixRubyFileReadInput(content) {
+  const modified = content.replace(
+    /File\.read\((\w+)\)/g,
+    'File.read(File.expand_path($1, Rails.root.join("safe_dir"))) # SECURITY: validate path',
+  );
+  return modified === content ? null : modified;
+}
+
+// R25. Escape glob pattern input
+export function fixRubyGlobInput(content) {
+  const modified = content.replace(
+    /Dir\.glob\((\w+)\)/g,
+    'Dir.glob($1.gsub(/[\\[\\]\\*\\?]/, "")) # SECURITY: sanitize glob input',
+  );
+  return modified === content ? null : modified;
+}
+
+// R26. Wrap user input in Regexp.escape
+export function fixRubyRegexpInput(content) {
+  const modified = content.replace(
+    /Regexp\.new\((\w+)\)/g,
+    'Regexp.new(Regexp.escape($1))',
+  );
+  return modified === content ? null : modified;
+}
+
+// R27. Add before_action :authenticate_user! where missing
+export function fixRubyNoAuth(content) {
+  if (!/class\s+\w+Controller/.test(content)) return null;
+  if (/before_action\s+:authenticate|skip_before_action\s+:authenticate/.test(content)) return null;
+  const modified = content.replace(
+    /(class\s+\w+Controller\s*<\s*\w+)/,
+    "$1\n  before_action :authenticate_user! # TODO: verify authentication requirement",
+  );
+  return modified === content ? null : modified;
+}
+
+// R28. Replace render inline: with template rendering
+export function fixRubyRenderInline(content) {
+  const modified = content.replace(
+    /render\s+inline:\s*["']([^"']+)["']/g,
+    'render template: "shared/inline_template" # SECURITY: replaced inline render — move markup to a template',
+  );
+  return modified === content ? null : modified;
+}
+
+// R29. Add URL whitelist to redirect
+export function fixRubyRedirectInput(content) {
+  const modified = content.replace(
+    /redirect_to\s+(\w+)\b(?!\s*_path|\s*_url)/g,
+    'redirect_to($1 =~ /\\A\\// ? $1 : root_path) # SECURITY: validate redirect target',
+  );
+  return modified === content ? null : modified;
+}
+
+// R30. Replace ENV direct access with Rails.credentials
+export function fixRubyNoEncryptedCreds(content) {
+  const modified = content.replace(
+    /ENV\[['"](\w*(?:SECRET|KEY|TOKEN)\w*)['"]\]/g,
+    'Rails.application.credentials.$1 # TODO: add to credentials.yml.enc',
+  );
+  return modified === content ? null : modified;
+}
+
+// R31. Replace deprecated find(:all) with where().first
+export function fixRubyDeprecatedFind(content) {
+  const modified = content.replace(
+    /\.find\(:all,\s*conditions:\s*\[([^\]]+)\]\)/g,
+    '.where($1)',
+  );
+  return modified === content ? null : modified;
+}
+
+// R32. Replace mass assignment with explicit attributes
+export function fixRubyMassAssignment(content) {
+  const modified = content.replace(
+    /\.update_attributes\(params\[:\w+\]\)/g,
+    '.update(permitted_params) # TODO: use strong parameters — params.require(:model).permit(:field1, :field2)',
+  );
+  return modified === content ? null : modified;
+}
+
+// R33. Add validates presence to model
+export function fixRubyNoValidation(content) {
+  if (!/class\s+\w+\s*<\s*(?:ActiveRecord::Base|ApplicationRecord)/.test(content)) return null;
+  if (/validates\s/.test(content)) return null;
+  const modified = content.replace(
+    /(class\s+\w+\s*<\s*(?:ActiveRecord::Base|ApplicationRecord))/,
+    "$1\n  # TODO: add model validations\n  # validates :name, presence: true",
+  );
+  return modified === content ? null : modified;
+}
+
+// R34. Replace hardcoded email with config setting
+export function fixRubyHardcodedEmail(content) {
+  const modified = content.replace(
+    /((?:from|to|email)\s*[:=]\s*)["'](\w+@\w+\.\w+)["']/gi,
+    "$1Rails.configuration.default_email # TODO: configure email in application.rb",
+  );
+  return modified === content ? null : modified;
+}
+
+// R35. Add rescue_from for error handling
+export function fixRubyNoErrorHandler(content) {
+  if (!/class\s+\w+Controller/.test(content)) return null;
+  if (/rescue_from/.test(content)) return null;
+  const modified = content.replace(
+    /(class\s+(\w+Controller)\s*<\s*\w+)/,
+    "$1\n  rescue_from StandardError, with: :handle_error\n\n  private\n\n  def handle_error(e)\n    Rails.logger.error(e.message)\n    render json: { error: 'Internal server error' }, status: :internal_server_error\n  end",
+  );
+  return modified === content ? null : modified;
+}
+
+// ===========================================================================
+// PHP fixes (P11 – P35)
+// ===========================================================================
+
+// P11. Add escapeshellcmd to system() calls
+export function fixPhpSystemCall(content) {
+  const modified = content.replace(
+    /system\(\s*\$(\w+)\s*\)/g,
+    'system(escapeshellcmd($$1))',
+  );
+  return modified === content ? null : modified;
+}
+
+// P12. Replace passthru with proc_open
+export function fixPhpPassthru(content) {
+  const modified = content.replace(
+    /passthru\(\s*\$(\w+)\s*\)/g,
+    '/* SECURITY: replaced passthru with proc_open */\n$proc = proc_open(escapeshellcmd($$1), [1 => ["pipe", "w"]], $pipes); echo stream_get_contents($pipes[1]); proc_close($proc)',
+  );
+  return modified === content ? null : modified;
+}
+
+// P13. Replace preg_replace with /e modifier with preg_replace_callback
+export function fixPhpPreg_e(content) {
+  const modified = content.replace(
+    /preg_replace\(\s*(['"])([^'"]*?)e(['"]),\s*(['"][^'"]*?['"])/g,
+    'preg_replace_callback($1$2$3, function($m) { return $4; }',
+  );
+  return modified === content ? null : modified;
+}
+
+// P14. Replace global variable with function parameter
+export function fixPhpGlobalVar(content) {
+  const modified = content.replace(
+    /\bglobal\s+\$(\w+);/g,
+    '/* SECURITY: avoid global — pass $$1 as a function parameter instead */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P15. Replace magic_quotes reliance with proper escaping
+export function fixPhpMagicQuotes(content) {
+  const modified = content.replace(
+    /get_magic_quotes_gpc\(\)/g,
+    'false /* magic_quotes removed in PHP 7.4 — use prepared statements or proper escaping */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P16. Replace file_get_contents with curl + validation
+export function fixPhpFileGetContents(content) {
+  const modified = content.replace(
+    /file_get_contents\(\s*\$(\w+)\s*\)/g,
+    '/* SECURITY: validate URL before fetching */ (function() { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, filter_var($$1, FILTER_VALIDATE_URL)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); $r = curl_exec($ch); curl_close($ch); return $r; })()',
+  );
+  return modified === content ? null : modified;
+}
+
+// P17. Replace hardcoded DB credentials with env variable
+export function fixPhpHardcodedDb(content) {
+  const modified = content.replace(
+    /((?:password|passwd|db_pass)\s*=\s*)['"]([^'"]+)['"]/gi,
+    "$1getenv('DB_PASSWORD') /* TODO: set DB_PASSWORD in .env */",
+  );
+  return modified === content ? null : modified;
+}
+
+// P18. Add rate-limit middleware comment
+export function fixPhpNoRateLimit(content) {
+  if (/throttle|rate.limit|RateLimiter/i.test(content)) return null;
+  if (!/Route::/.test(content)) return null;
+  const modified = content.replace(
+    /(Route::\w+\([^)]+\))/,
+    "$1->middleware('throttle:60,1') /* TODO: configure rate limiting */",
+  );
+  return modified === content ? null : modified;
+}
+
+// P19. Add filter_var to unvalidated input
+export function fixPhpNoInputFilter(content) {
+  const modified = content.replace(
+    /\$_GET\[['"](\w+)['"]\]/g,
+    "filter_input(INPUT_GET, '$1', FILTER_SANITIZE_SPECIAL_CHARS)",
+  );
+  return modified === content ? null : modified;
+}
+
+// P20. Replace rand() with random_bytes()
+export function fixPhpWeakRandom(content) {
+  const modified = content.replace(
+    /\brand\(\s*\)/g,
+    'random_int(0, PHP_INT_MAX) /* SECURITY: use cryptographically secure random */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P21. Add type hints to function parameters
+export function fixPhpNoTypeHints(content) {
+  const modified = content.replace(
+    /function\s+(\w+)\(\s*\$(\w+)\s*\)/g,
+    'function $1(mixed $$2) /* TODO: replace mixed with proper type hint */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P22. Add CSRF token to form
+export function fixPhpNoCsrf(content) {
+  const modified = content.replace(
+    /(<form\s[^>]*method\s*=\s*["']post["'][^>]*>)/gi,
+    '$1\n    <?php echo csrf_token(); ?> <!-- SECURITY: add CSRF protection -->',
+  );
+  return modified === content ? null : modified;
+}
+
+// P23. Replace {!! !!} with {{ }} in Blade templates
+export function fixPhpBladUnescaped(content) {
+  const modified = content.replace(
+    /\{!!\s*(\$\w+)\s*!!\}/g,
+    '{{ $1 }}',
+  );
+  return modified === content ? null : modified;
+}
+
+// P24. Replace DB::raw with Eloquent query builder
+export function fixPhpLaravelRawQuery(content) {
+  const modified = content.replace(
+    /DB::select\(\s*DB::raw\(\s*"([^"]*?)\{\$(\w+)\}([^"]*?)"\s*\)\s*\)/g,
+    'DB::select("$1?$3", [$$2])',
+  );
+  return modified === content ? null : modified;
+}
+
+// P25. Add validate() call to controller method
+export function fixPhpNoValidation(content) {
+  const modified = content.replace(
+    /(\$request->(?:input|all)\(\))/g,
+    '$request->validate([/* TODO: add validation rules */]) /* SECURITY: validate input */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P26. Remove phpinfo() calls
+export function fixPhpEnvExposure(content) {
+  const modified = content.replace(
+    /\bphpinfo\(\s*\)\s*;?/g,
+    '/* SECURITY: phpinfo() removed — exposes server configuration */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P27. Set APP_DEBUG to false
+export function fixPhpDebugMode(content) {
+  const modified = content.replace(
+    /APP_DEBUG\s*=\s*true/gi,
+    "APP_DEBUG=false /* SECURITY: disable debug mode in production */",
+  );
+  return modified === content ? null : modified;
+}
+
+// P28. Add open_basedir directive
+export function fixPhpOpenBasedir(content) {
+  if (/open_basedir/.test(content)) return null;
+  const modified = content.replace(
+    /(<\?php)/,
+    '$1\nini_set("open_basedir", __DIR__); /* SECURITY: restrict file access to application directory */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P29. Disable allow_url_include
+export function fixPhpAllowUrlInclude(content) {
+  const modified = content.replace(
+    /allow_url_include\s*=\s*(?:On|1|true)/gi,
+    'allow_url_include = Off ; SECURITY: remote file inclusion disabled',
+  );
+  return modified === content ? null : modified;
+}
+
+// P30. Disable display_errors
+export function fixPhpNoErrorDisplay(content) {
+  const modified = content.replace(
+    /display_errors\s*=\s*(?:On|1|true)/gi,
+    'display_errors = Off ; SECURITY: do not expose errors to users',
+  );
+  return modified === content ? null : modified;
+}
+
+// P31. Replace hardcoded secret with getenv()
+export function fixPhpHardcodedSecret(content) {
+  const modified = content.replace(
+    /((?:secret|api_key|app_key)\s*=\s*)['"]([^'"]{8,})['"]/gi,
+    "$1getenv('APP_SECRET') /* TODO: set APP_SECRET in .env */",
+  );
+  return modified === content ? null : modified;
+}
+
+// P32. Validate mime type and extension on upload
+export function fixPhpInsecureUpload(content) {
+  const modified = content.replace(
+    /move_uploaded_file\(\s*\$_FILES\[['"](\w+)['"]\]\['tmp_name'\],\s*([^)]+)\)/g,
+    "/* SECURITY: validate upload before moving */\n$allowed = ['image/jpeg','image/png','application/pdf'];\nif (in_array($_FILES['$1']['type'], \\$allowed) && preg_match('/\\\\.(jpg|png|pdf)$/i', $_FILES['$1']['name'])) {\n  move_uploaded_file($_FILES['$1']['tmp_name'], $2);\n}",
+  );
+  return modified === content ? null : modified;
+}
+
+// P33. Add ob_start() for output buffering
+export function fixPhpNoOutputBuffering(content) {
+  if (/ob_start/.test(content)) return null;
+  const modified = content.replace(
+    /(<\?php)/,
+    '$1\nob_start(); /* Enable output buffering */',
+  );
+  return modified === content ? null : modified;
+}
+
+// P34. Replace direct SQL string with query builder
+export function fixPhpDirectSql(content) {
+  const modified = content.replace(
+    /\$\w+->query\(\s*"([^"]*?)\$(\w+)([^"]*?)"\s*\)/g,
+    '$$2_stmt = $$1->prepare("$1?$3"); $$2_stmt->execute([$$2])',
+  );
+  return modified === content ? null : modified;
+}
+
+// P35. Regenerate session ID on login
+export function fixPhpSessionRegenerate(content) {
+  if (/session_regenerate_id/.test(content)) return null;
+  const modified = content.replace(
+    /((?:login|authenticate|sign_in)\s*\([^)]*\)\s*\{)/gi,
+    '$1\n    session_regenerate_id(true); /* SECURITY: prevent session fixation */',
+  );
+  return modified === content ? null : modified;
+}
+
+// ===========================================================================
+// Registry — maps fix IDs to { fn, tier, title }
+// ===========================================================================
+export const rubyPhpFixes = {
+  // Ruby (R1-R10) — re-exported from fixer.js
+  'fix-ruby-find-by-sql': { fn: fixRubyFindBySql, tier: 2, title: 'Replace find_by_sql interpolation with parameterized query' },
+  'fix-ruby-html-safe': { fn: fixRubyHtmlSafe, tier: 2, title: 'Replace html_safe with sanitize()' },
+  'fix-ruby-system-call': { fn: fixRubySystemCall, tier: 2, title: 'Replace system() interpolation with argument list' },
+  'fix-ruby-yaml-load': { fn: fixRubyYamlLoad, tier: 1, title: 'Replace YAML.load with YAML.safe_load' },
+  'fix-ruby-marshal-load': { fn: fixRubyMarshalLoad, tier: 2, title: 'Add warning to Marshal.load usage' },
+  'fix-ruby-permit-all': { fn: fixRubyPermitAll, tier: 2, title: 'Replace permit! with explicit field list' },
+  'fix-ruby-skip-csrf': { fn: fixRubySkipCsrf, tier: 2, title: 'Comment out skip_forgery_protection' },
+  'fix-ruby-eval': { fn: fixRubyEvalInput, tier: 2, title: 'Replace Ruby eval() with safer alternative' },
+  'fix-ruby-open-uri': { fn: fixRubyOpenUri, tier: 1, title: 'Replace open(url) with URI.open(url)' },
+  'fix-ruby-weak-hash': { fn: fixRubyWeakHash, tier: 1, title: 'Replace Digest::MD5 with Digest::SHA256' },
+  // Ruby (R11-R35)
+  'fix-ruby-hardcoded-secret': { fn: fixRubyHardcodedSecret, tier: 1, title: 'Replace hardcoded secret with ENV lookup' },
+  'fix-ruby-no-strong-params': { fn: fixRubyNoStrongParams, tier: 2, title: 'Add strong params to create calls' },
+  'fix-ruby-raw-output': { fn: fixRubyRawOutput, tier: 2, title: 'Replace raw output with h() helper' },
+  'fix-ruby-exec-input': { fn: fixRubyExecInput, tier: 2, title: 'Add Shellwords.shellescape to backtick commands' },
+  'fix-ruby-backticks-input': { fn: fixRubyBackticksInput, tier: 2, title: 'Replace backticks with Open3.capture3' },
+  'fix-ruby-send-unsafe': { fn: fixRubySendUnsafe, tier: 2, title: 'Replace send() with public_send()' },
+  'fix-ruby-const-get': { fn: fixRubyConstGet, tier: 2, title: 'Add allowlist check to const_get' },
+  'fix-ruby-no-timeout': { fn: fixRubyNoTimeout, tier: 1, title: 'Add timeout to Net::HTTP requests' },
+  'fix-ruby-insecure-ssl': { fn: fixRubyInsecureSsl, tier: 1, title: 'Replace VERIFY_NONE with VERIFY_PEER' },
+  'fix-ruby-no-logging': { fn: fixRubyNoLogging, tier: 1, title: 'Replace puts with Rails.logger in controllers' },
+  'fix-ruby-hardcoded-db': { fn: fixRubyHardcodedDb, tier: 1, title: 'Replace hardcoded DB password with ENV variable' },
+  'fix-ruby-session-secret': { fn: fixRubySessionSecret, tier: 1, title: 'Replace hardcoded session secret with Rails credentials' },
+  'fix-ruby-no-rate-limit': { fn: fixRubyNoRateLimit, tier: 2, title: 'Add Rack::Attack rate limiting suggestion' },
+  'fix-ruby-file-read-input': { fn: fixRubyFileReadInput, tier: 2, title: 'Sanitize path in File.read calls' },
+  'fix-ruby-glob-input': { fn: fixRubyGlobInput, tier: 2, title: 'Escape user input in Dir.glob' },
+  'fix-ruby-regexp-input': { fn: fixRubyRegexpInput, tier: 2, title: 'Wrap user input in Regexp.escape' },
+  'fix-ruby-no-auth': { fn: fixRubyNoAuth, tier: 2, title: 'Add before_action :authenticate_user!' },
+  'fix-ruby-render-inline': { fn: fixRubyRenderInline, tier: 2, title: 'Replace render inline: with template rendering' },
+  'fix-ruby-redirect-input': { fn: fixRubyRedirectInput, tier: 2, title: 'Add URL whitelist to redirect_to' },
+  'fix-ruby-no-encrypted-creds': { fn: fixRubyNoEncryptedCreds, tier: 1, title: 'Replace ENV secrets with Rails.credentials' },
+  'fix-ruby-deprecated-find': { fn: fixRubyDeprecatedFind, tier: 1, title: 'Replace deprecated find(:all) with where()' },
+  'fix-ruby-mass-assignment': { fn: fixRubyMassAssignment, tier: 2, title: 'Replace update_attributes(params) with strong params' },
+  'fix-ruby-no-validation': { fn: fixRubyNoValidation, tier: 2, title: 'Add model validation stubs' },
+  'fix-ruby-hardcoded-email': { fn: fixRubyHardcodedEmail, tier: 1, title: 'Replace hardcoded email with config setting' },
+  'fix-ruby-no-error-handler': { fn: fixRubyNoErrorHandler, tier: 2, title: 'Add rescue_from error handler' },
+  // PHP (P1-P10) — re-exported from fixer.js
+  'fix-php-mysql-query': { fn: fixPhpMysqlQuery, tier: 2, title: 'Replace mysql_query with PDO prepared statement' },
+  'fix-php-echo': { fn: fixPhpEchoUnsafe, tier: 1, title: 'Add htmlspecialchars to echoed user input' },
+  'fix-php-eval': { fn: fixPhpEval, tier: 2, title: 'Add security warning to PHP eval()' },
+  'fix-php-exec': { fn: fixPhpExecInput, tier: 2, title: 'Add escapeshellarg to exec() calls' },
+  'fix-php-md5-password': { fn: fixPhpMd5Password, tier: 1, title: 'Replace md5() with password_hash()' },
+  'fix-php-extract': { fn: fixPhpExtractPost, tier: 2, title: 'Replace extract() with explicit assignments' },
+  'fix-php-loose-comparison': { fn: fixPhpLooseComparison, tier: 1, title: 'Replace == with === in PHP auth contexts' },
+  'fix-php-session-config': { fn: fixPhpSessionConfig, tier: 1, title: 'Add secure session cookie settings' },
+  'fix-php-unserialize': { fn: fixPhpUnserialize, tier: 2, title: 'Add allowed_classes restriction to unserialize()' },
+  'fix-php-include': { fn: fixPhpIncludeInput, tier: 2, title: 'Add warning to include with user input' },
+  // PHP (P11-P35)
+  'fix-php-system-call': { fn: fixPhpSystemCall, tier: 2, title: 'Add escapeshellcmd to system() calls' },
+  'fix-php-passthru': { fn: fixPhpPassthru, tier: 2, title: 'Replace passthru with proc_open' },
+  'fix-php-preg-e': { fn: fixPhpPreg_e, tier: 2, title: 'Replace preg_replace /e with preg_replace_callback' },
+  'fix-php-global-var': { fn: fixPhpGlobalVar, tier: 2, title: 'Replace global variable with function parameter' },
+  'fix-php-magic-quotes': { fn: fixPhpMagicQuotes, tier: 1, title: 'Remove magic_quotes reliance' },
+  'fix-php-file-get-contents': { fn: fixPhpFileGetContents, tier: 2, title: 'Replace file_get_contents with curl + validation' },
+  'fix-php-hardcoded-db': { fn: fixPhpHardcodedDb, tier: 1, title: 'Replace hardcoded DB password with getenv()' },
+  'fix-php-no-rate-limit': { fn: fixPhpNoRateLimit, tier: 2, title: 'Add throttle middleware to routes' },
+  'fix-php-no-input-filter': { fn: fixPhpNoInputFilter, tier: 2, title: 'Replace $_GET with filter_input()' },
+  'fix-php-weak-random': { fn: fixPhpWeakRandom, tier: 1, title: 'Replace rand() with random_int()' },
+  'fix-php-no-type-hints': { fn: fixPhpNoTypeHints, tier: 1, title: 'Add type hints to function parameters' },
+  'fix-php-no-csrf': { fn: fixPhpNoCsrf, tier: 2, title: 'Add CSRF token to POST forms' },
+  'fix-php-blade-unescaped': { fn: fixPhpBladUnescaped, tier: 1, title: 'Replace {!! !!} with {{ }} in Blade templates' },
+  'fix-php-laravel-raw-query': { fn: fixPhpLaravelRawQuery, tier: 2, title: 'Replace DB::raw with parameterized query' },
+  'fix-php-no-validation': { fn: fixPhpNoValidation, tier: 2, title: 'Add request validation to controller' },
+  'fix-php-env-exposure': { fn: fixPhpEnvExposure, tier: 1, title: 'Remove phpinfo() calls' },
+  'fix-php-debug-mode': { fn: fixPhpDebugMode, tier: 1, title: 'Set APP_DEBUG to false' },
+  'fix-php-open-basedir': { fn: fixPhpOpenBasedir, tier: 1, title: 'Set open_basedir restriction' },
+  'fix-php-allow-url-include': { fn: fixPhpAllowUrlInclude, tier: 1, title: 'Disable allow_url_include' },
+  'fix-php-no-error-display': { fn: fixPhpNoErrorDisplay, tier: 1, title: 'Disable display_errors' },
+  'fix-php-hardcoded-secret': { fn: fixPhpHardcodedSecret, tier: 1, title: 'Replace hardcoded secret with getenv()' },
+  'fix-php-insecure-upload': { fn: fixPhpInsecureUpload, tier: 2, title: 'Validate mime type and extension on upload' },
+  'fix-php-no-output-buffering': { fn: fixPhpNoOutputBuffering, tier: 1, title: 'Add output buffering with ob_start()' },
+  'fix-php-direct-sql': { fn: fixPhpDirectSql, tier: 2, title: 'Replace direct SQL with prepared statement' },
+  'fix-php-session-regenerate': { fn: fixPhpSessionRegenerate, tier: 2, title: 'Regenerate session ID on login' },
+};