getdoorman 1.0.5 → 1.0.7

package/src/rules/security/auth.js

@@ -75,7 +75,7 @@ const rules = [
   {
     id: 'SEC-AUTH-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Plaintext password storage detected',
     check({ files }) {
@@ -615,7 +615,7 @@ const rules = [
   {
     id: 'SEC-AUTH-014',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'OAuth open redirect via unvalidated redirect_uri',
     check({ files }) {
@@ -1012,7 +1012,7 @@ rules.push({
 
 // SEC-AUTH-026: Session fixation
 rules.push({
-  id: 'SEC-AUTH-026', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-AUTH-026', category: 'security', severity: 'high', confidence: 'likely',
   title: 'Session fixation: session not regenerated after login',
   check({ files }) {
     const findings = [];
@@ -1171,7 +1171,7 @@ rules.push({
 
 // SEC-AUTH-034: JWT decoded without verification
 rules.push({
-  id: 'SEC-AUTH-034', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-AUTH-034', category: 'security', severity: 'high', confidence: 'likely',
   title: 'JWT decoded without signature verification',
   check({ files }) {
     const findings = [];
@@ -1233,7 +1233,7 @@ rules.push({
 
 // SEC-AUTH-037: Authentication bypass via type coercion
 rules.push({
-  id: 'SEC-AUTH-037', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-AUTH-037', category: 'security', severity: 'high', confidence: 'likely',
   title: 'Password comparison with == — type coercion bypass',
   check({ files }) {
     const findings = [];

package/src/rules/security/csharp.js

@@ -50,7 +50,7 @@ const rules = [
   {
     id: 'SEC-CS-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Concatenation in SqlCommand',
     description: 'Building SQL queries with string concatenation in SqlCommand allows SQL injection.',
@@ -67,7 +67,7 @@ const rules = [
   {
     id: 'SEC-CS-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Interpolation',
     description: 'Using string interpolation ($"...") in SQL commands allows injection.',
@@ -84,7 +84,7 @@ const rules = [
   {
     id: 'SEC-CS-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String.Format',
     description: 'Using String.Format to build SQL queries enables injection attacks.',
@@ -181,7 +181,7 @@ const rules = [
   {
     id: 'SEC-CS-009',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Process.Start',
     description: 'Passing user-controlled data to Process.Start enables arbitrary command execution.',
@@ -197,7 +197,7 @@ const rules = [
   {
     id: 'SEC-CS-010',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via ProcessStartInfo',
     description: 'Setting ProcessStartInfo.Arguments with user input enables command injection.',
@@ -245,7 +245,7 @@ const rules = [
   {
     id: 'SEC-CS-013',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'LDAP Injection',
     description: 'Building LDAP filters with string concatenation allows injection attacks.',
@@ -262,7 +262,7 @@ const rules = [
   {
     id: 'SEC-CS-014',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'LDAP Injection via String Interpolation',
     description: 'Using string interpolation in LDAP filters enables injection.',
@@ -278,7 +278,7 @@ const rules = [
   {
     id: 'SEC-CS-015',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'XXE: XmlDocument Without Safe Settings',
     description: 'XmlDocument processes external entities by default, enabling XXE attacks.',
@@ -294,7 +294,7 @@ const rules = [
   {
     id: 'SEC-CS-016',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'XXE: XmlTextReader Without Safe Settings',
     description: 'XmlTextReader processes DTDs and external entities by default.',
@@ -490,7 +490,7 @@ const rules = [
   {
     id: 'SEC-CS-028',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Connection String',
     description: 'Database connection strings with credentials hardcoded in source code.',
@@ -506,7 +506,7 @@ const rules = [
   {
     id: 'SEC-CS-029',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Credentials',
     description: 'Passwords or API keys hardcoded in source code risk exposure.',
@@ -651,7 +651,7 @@ const rules = [
   {
     id: 'SEC-CS-038',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Dynamic Assembly Loading with User Input',
     description: 'Loading assemblies from user-controlled paths enables arbitrary code execution.',
@@ -667,7 +667,7 @@ const rules = [
   {
     id: 'SEC-CS-039',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Dynamic Type Instantiation with User Input',
     description: 'Activator.CreateInstance with user-controlled type names can instantiate malicious types.',
@@ -764,7 +764,7 @@ const rules = [
   {
     id: 'SEC-CS-045',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Encryption Key',
     description: 'Encryption keys hardcoded in source code can be extracted from assemblies.',
@@ -845,7 +845,7 @@ const rules = [
   {
     id: 'SEC-CS-050',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via Entity Framework Raw SQL',
     description: 'Using FromSqlRaw or ExecuteSqlRaw with string interpolation bypasses EF parameterization.',

package/src/rules/security/dart.js

@@ -55,7 +55,7 @@ const rules = [
   {
     id: 'SEC-DART-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded API Key or Secret',
     description: 'API keys or secrets hardcoded in Dart code can be extracted from the compiled app.',
@@ -175,7 +175,7 @@ const rules = [
   {
     id: 'SEC-DART-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection in sqflite',
     description: 'String interpolation in rawQuery/rawInsert/rawUpdate/rawDelete enables SQL injection.',
@@ -375,7 +375,7 @@ const rules = [
   {
     id: 'SEC-DART-018',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Disabled Certificate Verification in HttpClient',
     description: 'Setting SecurityContext with allowLegacyUnsafeRenegotiation disables TLS protections.',
@@ -395,7 +395,7 @@ const rules = [
   {
     id: 'SEC-DART-019',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Dynamic Code Execution',
     description: 'Using dart:mirrors or evaluateJavascript with user input can lead to code injection.',
@@ -455,7 +455,7 @@ const rules = [
   {
     id: 'SEC-DART-022',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded OAuth Client Secret',
     description: 'OAuth client secrets embedded in mobile apps can be extracted and used to impersonate the app.',
@@ -575,7 +575,7 @@ const rules = [
   {
     id: 'SEC-DART-028',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Process Execution with User Input',
     description: 'Process.run or Process.start with unsanitized input can lead to command injection.',

package/src/rules/security/deserialization.js

@@ -204,7 +204,7 @@ const rules = [
   {
     id: 'SEC-DES-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'XML Parser Without XXE Protection',
     description:

package/src/rules/security/go.js

@@ -50,7 +50,7 @@ const rules = [
   {
     id: 'SEC-GO-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via fmt.Sprintf in Query',
     description: 'Using fmt.Sprintf to build SQL queries passed to db.Query or db.Exec allows SQL injection.',
@@ -66,7 +66,7 @@ const rules = [
   {
     id: 'SEC-GO-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Concatenation',
     description: 'Concatenating strings to build SQL queries allows injection attacks.',
@@ -82,7 +82,7 @@ const rules = [
   {
     id: 'SEC-GO-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via exec.Command',
     description: 'Passing user-controlled input to exec.Command can lead to arbitrary command execution.',
@@ -98,7 +98,7 @@ const rules = [
   {
     id: 'SEC-GO-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Shell Execution',
     description: 'Using exec.Command with bash/sh -c and string interpolation enables command injection.',
@@ -290,7 +290,7 @@ const rules = [
   {
     id: 'SEC-GO-016',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded Password',
     description: 'Passwords hardcoded in source code can be extracted and used to compromise systems.',
@@ -306,7 +306,7 @@ const rules = [
   {
     id: 'SEC-GO-017',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Hardcoded API Key',
     description: 'API keys hardcoded in source code can be extracted from binaries or repositories.',
@@ -466,7 +466,7 @@ const rules = [
   {
     id: 'SEC-GO-027',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'JWT Parsing Without Proper Validation',
     description: 'Using jwt.Parse without specifying valid signing methods allows algorithm substitution attacks.',
@@ -738,7 +738,7 @@ const rules = [
   {
     id: 'SEC-GO-044',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection in GORM Raw Query',
     description: 'Using db.Raw with fmt.Sprintf allows SQL injection through GORM.',

package/src/rules/security/injection.js

@@ -42,7 +42,7 @@ const rules = [
   {
     id: 'SEC-INJ-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via String Concatenation',
     description:
@@ -82,7 +82,7 @@ const rules = [
   {
     id: 'SEC-INJ-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SQL Injection via ORM Raw Queries',
     description:
@@ -108,7 +108,7 @@ const rules = [
   {
     id: 'SEC-INJ-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'NoSQL Injection via MongoDB',
     description:
@@ -138,7 +138,7 @@ const rules = [
   {
     id: 'SEC-INJ-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via exec',
     description:
@@ -169,7 +169,7 @@ const rules = [
   {
     id: 'SEC-INJ-005',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Command Injection via Shell Spawn',
     description:
@@ -288,7 +288,7 @@ const rules = [
   {
     id: 'SEC-INJ-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Server-Side Template Injection (SSTI)',
     description:
@@ -520,7 +520,7 @@ const rules = [
   {
     id: 'SEC-INJ-015',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'XML External Entity (XXE) Injection',
     description:
@@ -727,7 +727,7 @@ const rules = [
   {
     id: 'SEC-INJ-019',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Prototype Pollution',
     description:
@@ -757,7 +757,7 @@ const rules = [
   {
     id: 'SEC-INJ-020',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Path Traversal',
     description:
@@ -797,7 +797,7 @@ const rules = [
   {
     id: 'SEC-INJ-021',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SSRF: fetch/axios called with user-controlled URL',
     description: 'Making HTTP requests to URLs derived from user input enables Server-Side Request Forgery (SSRF), allowing attackers to probe internal services, cloud metadata endpoints, or exfiltrate data.',
@@ -819,7 +819,7 @@ const rules = [
   {
     id: 'SEC-INJ-022',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SSRF: http.request with user-controlled host option',
     description: 'Node.js http.request/https.request called with options derived from user input allows SSRF attacks targeting internal services.',
@@ -927,7 +927,7 @@ const rules = [
   {
     id: 'SEC-INJ-026',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SSTI: EJS template rendered with user-controlled template string',
     description: 'Passing user input as the template string to ejs.render() allows arbitrary JavaScript execution on the server.',
@@ -949,7 +949,7 @@ const rules = [
   {
     id: 'SEC-INJ-027',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SSTI: Pug template compiled from user-controlled input',
     description: 'pug.compile() or pug.render() with user-supplied template strings allows arbitrary code execution.',
@@ -971,7 +971,7 @@ const rules = [
   {
     id: 'SEC-INJ-028',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'SSTI: Handlebars template compiled from user-controlled input',
     description: 'Handlebars.compile() called with user input allows template injection leading to remote code execution.',
@@ -1180,7 +1180,7 @@ const rules = [
   {
     id: 'SEC-INJ-036',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'LDAP Injection via unsanitized user input in LDAP query',
     description: 'Building LDAP filter strings with user input without escaping special characters allows LDAP injection attacks.',
@@ -1202,7 +1202,7 @@ const rules = [
   {
     id: 'SEC-INJ-037',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'eval() called with user-controlled input — arbitrary code execution',
     description: 'eval() with any user-supplied string allows remote code execution. This is one of the most dangerous patterns in JavaScript.',
@@ -1291,17 +1291,20 @@ export default rules;
 
 // SEC-INJ-041: SQL injection via template literal in raw query
 rules.push({
-  id: 'SEC-INJ-041', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-INJ-041', category: 'security', severity: 'high', confidence: 'likely',
   title: 'SQL Injection via template literal in query string',
   check({ files }) {
     const findings = [];
-    const p = /['"`]\s*(?:SELECT|INSERT|UPDATE|DELETE|CREATE|DROP|ALTER)\s[^'"`]*\$\{/i;
+    // Must have SQL keyword + SQL clause keyword (FROM/INTO/SET/WHERE/VALUES/TABLE) + ${interpolation}
+    const p = /`\s*(?:SELECT\s.*\sFROM|INSERT\s.*\sINTO|UPDATE\s.*\sSET|DELETE\s.*\sFROM|CREATE\s.*\sTABLE|DROP\s.*\sTABLE|ALTER\s.*\sTABLE)[^`]*\$\{/i;
     for (const [path, content] of files) {
       if (SKIP_PATH.test(path) || !isJS(path)) continue;
       const lines = content.split('\n');
       for (let i = 0; i < lines.length; i++) {
         if (COMMENT_LINE.test(lines[i])) continue;
-        if (p.test(lines[i])) findings.push({ ruleId: 'SEC-INJ-041', category: 'security', severity: 'critical', title: 'SQL built with template literal — injection risk', description: 'Template literals in SQL strings allow injection when they contain user input. Use parameterized queries.', file: path, line: i + 1, fix: null });
+        // Check current line + next 2 lines (SQL queries often span multiple lines)
+        const block = lines.slice(i, i + 3).join(' ');
+        if (p.test(block)) findings.push({ ruleId: 'SEC-INJ-041', category: 'security', severity: 'critical', title: 'SQL built with template literal — injection risk', description: 'Template literals in SQL strings allow injection when they contain user input. Use parameterized queries.', file: path, line: i + 1, fix: null });
       }
     }
     return findings;
@@ -1426,7 +1429,7 @@ rules.push({
 
 // SEC-INJ-048: Unsafe shell execution with variables
 rules.push({
-  id: 'SEC-INJ-048', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-INJ-048', category: 'security', severity: 'high', confidence: 'likely',
   title: 'Shell command constructed with variable interpolation',
   check({ files }) {
     const findings = [];
@@ -1467,7 +1470,7 @@ rules.push({
 
 // SEC-INJ-050: Arbitrary file read via path parameter
 rules.push({
-  id: 'SEC-INJ-050', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-INJ-050', category: 'security', severity: 'high', confidence: 'likely',
   title: 'File read using user-controlled filename — path traversal',
   check({ files }) {
     const findings = [];
@@ -1505,7 +1508,7 @@ rules.push({
 
 // SEC-INJ-052: Subprocess injection via template literal
 rules.push({
-  id: 'SEC-INJ-052', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-INJ-052', category: 'security', severity: 'high', confidence: 'likely',
   title: 'subprocess injection via template in spawn/fork',
   check({ files }) {
     const findings = [];
@@ -1543,7 +1546,7 @@ rules.push({
 
 // SEC-INJ-054: Unsafe use of vm.runInNewContext with user data
 rules.push({
-  id: 'SEC-INJ-054', category: 'security', severity: 'critical', confidence: 'likely',
+  id: 'SEC-INJ-054', category: 'security', severity: 'high', confidence: 'likely',
   title: 'vm.runInNewContext/runInContext with user data — sandbox escape risk',
   check({ files }) {
     const findings = [];

package/src/rules/security/mcp-server.js

@@ -19,8 +19,8 @@ function checkAll(rule, files, pattern) {
 const rules = [
   { id: 'SEC-MCP-001', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP tool without input validation', check({ files }) { return checkAll(this, files, /server\.tool\([^,]+,\s*async\s*\(\s*\{/); } },
   { id: 'SEC-MCP-002', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP params in file operation', check({ files }) { return checkAll(this, files, /fs\.\w+\(\s*(?:params|args|input)\.\w+/); } },
-  { id: 'SEC-MCP-003', category: 'security', severity: 'critical', confidence: 'likely', title: 'MCP params in exec/spawn', check({ files }) { return checkAll(this, files, /(?:exec|spawn|execSync)\(\s*(?:params|args|input)\./); } },
-  { id: 'SEC-MCP-004', category: 'security', severity: 'critical', confidence: 'likely', title: 'MCP params in SQL query', check({ files }) { return checkAll(this, files, /(?:query|execute)\(\s*`[^`]*\$\{(?:params|args|input)\./); } },
+  { id: 'SEC-MCP-003', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP params in exec/spawn', check({ files }) { return checkAll(this, files, /(?:exec|spawn|execSync)\(\s*(?:params|args|input)\./); } },
+  { id: 'SEC-MCP-004', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP params in SQL query', check({ files }) { return checkAll(this, files, /(?:query|execute)\(\s*`[^`]*\$\{(?:params|args|input)\./); } },
   { id: 'SEC-MCP-005', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP params in eval', check({ files }) { return checkAll(this, files, /(?:eval|new\s+Function)\(\s*(?:params|args|input)\./); } },
   { id: 'SEC-MCP-006', category: 'security', severity: 'medium', confidence: 'suggestion', title: 'MCP tool without schema', check({ files }) { return checkAll(this, files, /server\.tool\(\s*['"][^'"]+['"]\s*,\s*(?:async\s*)?\(/); } },
   { id: 'SEC-MCP-007', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP params in URL (SSRF)', check({ files }) { return checkAll(this, files, /(?:fetch|axios|got|request)\(\s*(?:params|args|input)\./); } },
@@ -47,8 +47,8 @@ const rules = [
   { id: 'SEC-MCP-028', category: 'security', severity: 'low', confidence: 'suggestion', title: 'MCP description leaks impl', check({ files }) { return checkAll(this, files, /description:\s*['"].*(?:database|internal|private)/i); } },
   { id: 'SEC-MCP-029', category: 'security', severity: 'medium', confidence: 'likely', title: 'MCP cross-tool data leak', check({ files }) { return checkAll(this, files, /(?:global|globalThis)\.\w+.*=.*(?:params|args)\./); } },
   { id: 'SEC-MCP-030', category: 'security', severity: 'medium', confidence: 'suggestion', title: 'MCP debug mode enabled', check({ files }) { return checkAll(this, files, /(?:debug|verbose)\s*[:=]\s*true/); } },
-  { id: 'SEC-MCP-031', category: 'security', severity: 'critical', confidence: 'likely', title: 'MCP shell injection', check({ files }) { return checkAll(this, files, /exec\(\s*`[^`]*\$\{(?:params|args|input)\./); } },
-  { id: 'SEC-MCP-032', category: 'security', severity: 'critical', confidence: 'likely', title: 'MCP template injection', check({ files }) { return checkAll(this, files, /(?:render|compile|template)\(\s*(?:params|args|input)\./); } },
+  { id: 'SEC-MCP-031', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP shell injection', check({ files }) { return checkAll(this, files, /(?:child_process\.|execSync|execFile)\s*\(\s*`[^`]*\$\{(?:params|args|input)\./); } },
+  { id: 'SEC-MCP-032', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP template injection', check({ files }) { return checkAll(this, files, /(?:render|compile|template)\(\s*(?:params|args|input)\./); } },
   { id: 'SEC-MCP-033', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP LDAP injection', check({ files }) { return checkAll(this, files, /(?:ldap|LDAP).*(?:search|bind).*(?:params|args)\./); } },
   { id: 'SEC-MCP-034', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP XML injection', check({ files }) { return checkAll(this, files, /[<].*\$\{(?:params|args|input)\./); } },
   { id: 'SEC-MCP-035', category: 'security', severity: 'high', confidence: 'likely', title: 'MCP header injection', check({ files }) { return checkAll(this, files, /setHeader\([^,]+,\s*(?:params|args|input)\./); } },

package/src/rules/security/oauth-jwt.js

@@ -303,7 +303,7 @@ const rules = [
   {
     id: 'SEC-JWT-010',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'JWT Payload Decoded Without Verification',
     description:

package/src/rules/security/path-traversal.js

@@ -39,7 +39,7 @@ const rules = [
   {
     id: 'SEC-PT-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'fs.readFile with User-Controlled Path (Path Traversal)',
     description:
@@ -62,7 +62,7 @@ const rules = [
   {
     id: 'SEC-PT-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'fs.writeFile with User-Controlled Path (Path Traversal)',
     description:
@@ -154,7 +154,7 @@ const rules = [
   {
     id: 'SEC-PT-006',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'fs.createReadStream with User-Controlled Path',
     description:
@@ -177,7 +177,7 @@ const rules = [
   {
     id: 'SEC-PT-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Zip Extraction Without Path Validation (Zip Slip)',
     description:
@@ -213,7 +213,7 @@ const rules = [
   {
     id: 'SEC-PT-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'fs.unlink/rm with User-Controlled Path (Arbitrary File Deletion)',
     description:
@@ -272,7 +272,7 @@ const rules = [
   {
     id: 'SEC-PT-010',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'likely',
     title: 'Template/View File Inclusion with User Input (LFI)',
     description: