getdoorman 1.0.6 → 1.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/rules/bugs/ai-codegen.js +1 -1
- package/src/rules/bugs/crypto-bugs.js +1 -1
- package/src/rules/bugs/go-bugs.js +1 -1
- package/src/rules/compliance/healthcare.js +4 -4
- package/src/rules/compliance/regional-eu.js +1 -1
- package/src/rules/compliance/regional-international.js +4 -4
- package/src/rules/infrastructure/index.js +5 -5
- package/src/rules/quality/index.js +8 -8
- package/src/rules/scope-rules.js +1 -1
- package/src/rules/security/ai-api.js +8 -8
- package/src/rules/security/auth.js +5 -5
- package/src/rules/security/csharp.js +15 -15
- package/src/rules/security/dart.js +6 -6
- package/src/rules/security/deserialization.js +1 -1
- package/src/rules/security/go.js +8 -8
- package/src/rules/security/injection.js +21 -21
- package/src/rules/security/mcp-server.js +4 -4
- package/src/rules/security/oauth-jwt.js +1 -1
- package/src/rules/security/path-traversal.js +6 -6
- package/src/rules/security/php.js +28 -28
- package/src/rules/security/ruby.js +20 -20
- package/src/rules/security/rust.js +6 -6
- package/src/rules/security/shell.js +9 -9
- package/src/rules/security/ssrf.js +1 -1
- package/src/rules/security/swift.js +3 -3
- package/src/rules/security/taint.js +1 -1
|
@@ -54,7 +54,7 @@ const rules = [
|
|
|
54
54
|
{
|
|
55
55
|
id: 'SEC-RUBY-001',
|
|
56
56
|
category: 'security',
|
|
57
|
-
severity: '
|
|
57
|
+
severity: 'high',
|
|
58
58
|
confidence: 'likely',
|
|
59
59
|
title: 'SQL Injection via String Interpolation in where()',
|
|
60
60
|
description: 'Using string interpolation inside ActiveRecord where() allows SQL injection.',
|
|
@@ -70,7 +70,7 @@ const rules = [
|
|
|
70
70
|
{
|
|
71
71
|
id: 'SEC-RUBY-002',
|
|
72
72
|
category: 'security',
|
|
73
|
-
severity: '
|
|
73
|
+
severity: 'high',
|
|
74
74
|
confidence: 'likely',
|
|
75
75
|
title: 'SQL Injection via String Concatenation in where()',
|
|
76
76
|
description: 'Concatenating user input into ActiveRecord where() enables SQL injection.',
|
|
@@ -86,7 +86,7 @@ const rules = [
|
|
|
86
86
|
{
|
|
87
87
|
id: 'SEC-RUBY-003',
|
|
88
88
|
category: 'security',
|
|
89
|
-
severity: '
|
|
89
|
+
severity: 'high',
|
|
90
90
|
confidence: 'likely',
|
|
91
91
|
title: 'Raw SQL with String Interpolation',
|
|
92
92
|
description: 'Using execute() or select_all() with interpolated strings allows SQL injection.',
|
|
@@ -102,7 +102,7 @@ const rules = [
|
|
|
102
102
|
{
|
|
103
103
|
id: 'SEC-RUBY-004',
|
|
104
104
|
category: 'security',
|
|
105
|
-
severity: '
|
|
105
|
+
severity: 'high',
|
|
106
106
|
confidence: 'likely',
|
|
107
107
|
title: 'SQL Injection via find_by_sql',
|
|
108
108
|
description: 'Using find_by_sql with string interpolation allows SQL injection.',
|
|
@@ -457,7 +457,7 @@ const rules = [
|
|
|
457
457
|
{
|
|
458
458
|
id: 'SEC-RUBY-025',
|
|
459
459
|
category: 'security',
|
|
460
|
-
severity: '
|
|
460
|
+
severity: 'high',
|
|
461
461
|
confidence: 'likely',
|
|
462
462
|
title: 'CSRF Protection Disabled via Configuration',
|
|
463
463
|
description: 'Setting allow_forgery_protection to false disables CSRF globally.',
|
|
@@ -477,7 +477,7 @@ const rules = [
|
|
|
477
477
|
{
|
|
478
478
|
id: 'SEC-RUBY-026',
|
|
479
479
|
category: 'security',
|
|
480
|
-
severity: '
|
|
480
|
+
severity: 'high',
|
|
481
481
|
confidence: 'likely',
|
|
482
482
|
title: 'Command Injection via system()',
|
|
483
483
|
description: 'Passing user input to system() allows command injection.',
|
|
@@ -493,7 +493,7 @@ const rules = [
|
|
|
493
493
|
{
|
|
494
494
|
id: 'SEC-RUBY-027',
|
|
495
495
|
category: 'security',
|
|
496
|
-
severity: '
|
|
496
|
+
severity: 'high',
|
|
497
497
|
confidence: 'likely',
|
|
498
498
|
title: 'Command Injection via Backticks',
|
|
499
499
|
description: 'Using backticks with interpolation allows command injection.',
|
|
@@ -509,7 +509,7 @@ const rules = [
|
|
|
509
509
|
{
|
|
510
510
|
id: 'SEC-RUBY-028',
|
|
511
511
|
category: 'security',
|
|
512
|
-
severity: '
|
|
512
|
+
severity: 'high',
|
|
513
513
|
confidence: 'likely',
|
|
514
514
|
title: 'Command Injection via exec()',
|
|
515
515
|
description: 'Passing user input to exec() allows command injection.',
|
|
@@ -525,7 +525,7 @@ const rules = [
|
|
|
525
525
|
{
|
|
526
526
|
id: 'SEC-RUBY-029',
|
|
527
527
|
category: 'security',
|
|
528
|
-
severity: '
|
|
528
|
+
severity: 'high',
|
|
529
529
|
confidence: 'likely',
|
|
530
530
|
title: 'Command Injection via IO.popen',
|
|
531
531
|
description: 'Using IO.popen with string interpolation allows command injection.',
|
|
@@ -541,7 +541,7 @@ const rules = [
|
|
|
541
541
|
{
|
|
542
542
|
id: 'SEC-RUBY-030',
|
|
543
543
|
category: 'security',
|
|
544
|
-
severity: '
|
|
544
|
+
severity: 'high',
|
|
545
545
|
confidence: 'likely',
|
|
546
546
|
title: 'Command Injection via Open3 with Interpolation',
|
|
547
547
|
description: 'Using Open3 methods with string interpolation allows command injection.',
|
|
@@ -561,7 +561,7 @@ const rules = [
|
|
|
561
561
|
{
|
|
562
562
|
id: 'SEC-RUBY-031',
|
|
563
563
|
category: 'security',
|
|
564
|
-
severity: '
|
|
564
|
+
severity: 'high',
|
|
565
565
|
confidence: 'likely',
|
|
566
566
|
title: 'Unsafe YAML.load',
|
|
567
567
|
description: 'YAML.load can deserialize arbitrary Ruby objects, leading to RCE.',
|
|
@@ -577,7 +577,7 @@ const rules = [
|
|
|
577
577
|
{
|
|
578
578
|
id: 'SEC-RUBY-032',
|
|
579
579
|
category: 'security',
|
|
580
|
-
severity: '
|
|
580
|
+
severity: 'high',
|
|
581
581
|
confidence: 'likely',
|
|
582
582
|
title: 'Unsafe Marshal.load',
|
|
583
583
|
description: 'Marshal.load can execute arbitrary code when deserializing untrusted data.',
|
|
@@ -593,7 +593,7 @@ const rules = [
|
|
|
593
593
|
{
|
|
594
594
|
id: 'SEC-RUBY-033',
|
|
595
595
|
category: 'security',
|
|
596
|
-
severity: '
|
|
596
|
+
severity: 'high',
|
|
597
597
|
confidence: 'likely',
|
|
598
598
|
title: 'Unsafe Marshal.restore',
|
|
599
599
|
description: 'Marshal.restore is an alias for Marshal.load and is equally dangerous.',
|
|
@@ -625,7 +625,7 @@ const rules = [
|
|
|
625
625
|
{
|
|
626
626
|
id: 'SEC-RUBY-035',
|
|
627
627
|
category: 'security',
|
|
628
|
-
severity: '
|
|
628
|
+
severity: 'high',
|
|
629
629
|
confidence: 'likely',
|
|
630
630
|
title: 'Server-Side Template Injection via ERB.new',
|
|
631
631
|
description: 'Passing user input to ERB.new allows arbitrary code execution.',
|
|
@@ -729,7 +729,7 @@ const rules = [
|
|
|
729
729
|
{
|
|
730
730
|
id: 'SEC-RUBY-041',
|
|
731
731
|
category: 'security',
|
|
732
|
-
severity: '
|
|
732
|
+
severity: 'high',
|
|
733
733
|
confidence: 'likely',
|
|
734
734
|
title: 'Code Injection via eval()',
|
|
735
735
|
description: 'Using eval with user-controlled input allows arbitrary code execution.',
|
|
@@ -761,7 +761,7 @@ const rules = [
|
|
|
761
761
|
{
|
|
762
762
|
id: 'SEC-RUBY-043',
|
|
763
763
|
category: 'security',
|
|
764
|
-
severity: '
|
|
764
|
+
severity: 'high',
|
|
765
765
|
confidence: 'likely',
|
|
766
766
|
title: 'Unsafe constantize with User Input',
|
|
767
767
|
description: 'Using constantize on user input allows instantiation of arbitrary classes.',
|
|
@@ -777,7 +777,7 @@ const rules = [
|
|
|
777
777
|
{
|
|
778
778
|
id: 'SEC-RUBY-044',
|
|
779
779
|
category: 'security',
|
|
780
|
-
severity: '
|
|
780
|
+
severity: 'high',
|
|
781
781
|
confidence: 'likely',
|
|
782
782
|
title: 'Code Injection via class_eval',
|
|
783
783
|
description: 'Using class_eval with interpolated strings allows arbitrary code execution.',
|
|
@@ -845,7 +845,7 @@ const rules = [
|
|
|
845
845
|
{
|
|
846
846
|
id: 'SEC-RUBY-048',
|
|
847
847
|
category: 'security',
|
|
848
|
-
severity: '
|
|
848
|
+
severity: 'high',
|
|
849
849
|
confidence: 'likely',
|
|
850
850
|
title: 'Hardcoded Secret Key',
|
|
851
851
|
description: 'Hardcoded secret_key_base exposes application to session forgery.',
|
|
@@ -961,7 +961,7 @@ const rules = [
|
|
|
961
961
|
{
|
|
962
962
|
id: 'SEC-RUBY-055',
|
|
963
963
|
category: 'security',
|
|
964
|
-
severity: '
|
|
964
|
+
severity: 'high',
|
|
965
965
|
confidence: 'likely',
|
|
966
966
|
title: 'Hardcoded Password',
|
|
967
967
|
description: 'Hardcoded passwords in source code can be extracted by attackers.',
|
|
@@ -1029,7 +1029,7 @@ const rules = [
|
|
|
1029
1029
|
{
|
|
1030
1030
|
id: 'SEC-RUBY-059',
|
|
1031
1031
|
category: 'security',
|
|
1032
|
-
severity: '
|
|
1032
|
+
severity: 'high',
|
|
1033
1033
|
confidence: 'likely',
|
|
1034
1034
|
title: 'Template Injection via render with User Input',
|
|
1035
1035
|
description: 'Passing user input to render() template name allows arbitrary template rendering.',
|
|
@@ -114,7 +114,7 @@ const rules = [
|
|
|
114
114
|
{
|
|
115
115
|
id: 'SEC-RS-005',
|
|
116
116
|
category: 'security',
|
|
117
|
-
severity: '
|
|
117
|
+
severity: 'high',
|
|
118
118
|
confidence: 'likely',
|
|
119
119
|
title: 'SQL Injection via format! in Query',
|
|
120
120
|
description: 'Using format! to build SQL queries allows injection attacks.',
|
|
@@ -130,7 +130,7 @@ const rules = [
|
|
|
130
130
|
{
|
|
131
131
|
id: 'SEC-RS-006',
|
|
132
132
|
category: 'security',
|
|
133
|
-
severity: '
|
|
133
|
+
severity: 'high',
|
|
134
134
|
confidence: 'likely',
|
|
135
135
|
title: 'SQL Injection via String Concatenation',
|
|
136
136
|
description: 'Building SQL queries with string concatenation allows injection.',
|
|
@@ -146,7 +146,7 @@ const rules = [
|
|
|
146
146
|
{
|
|
147
147
|
id: 'SEC-RS-007',
|
|
148
148
|
category: 'security',
|
|
149
|
-
severity: '
|
|
149
|
+
severity: 'high',
|
|
150
150
|
confidence: 'likely',
|
|
151
151
|
title: 'Command Injection via Command::new',
|
|
152
152
|
description: 'Passing user-controlled input to Command::new or .arg() can lead to command injection.',
|
|
@@ -162,7 +162,7 @@ const rules = [
|
|
|
162
162
|
{
|
|
163
163
|
id: 'SEC-RS-008',
|
|
164
164
|
category: 'security',
|
|
165
|
-
severity: '
|
|
165
|
+
severity: 'high',
|
|
166
166
|
confidence: 'likely',
|
|
167
167
|
title: 'Command Injection via Shell Execution',
|
|
168
168
|
description: 'Using Command::new("sh") or Command::new("bash") with -c flag and user input enables injection.',
|
|
@@ -210,7 +210,7 @@ const rules = [
|
|
|
210
210
|
{
|
|
211
211
|
id: 'SEC-RS-011',
|
|
212
212
|
category: 'security',
|
|
213
|
-
severity: '
|
|
213
|
+
severity: 'high',
|
|
214
214
|
confidence: 'likely',
|
|
215
215
|
title: 'Hardcoded Secret',
|
|
216
216
|
description: 'Secrets hardcoded in source code can be extracted from binaries.',
|
|
@@ -371,7 +371,7 @@ const rules = [
|
|
|
371
371
|
{
|
|
372
372
|
id: 'SEC-RS-021',
|
|
373
373
|
category: 'security',
|
|
374
|
-
severity: '
|
|
374
|
+
severity: 'high',
|
|
375
375
|
confidence: 'likely',
|
|
376
376
|
title: 'from_raw_parts Without Bounds Checking',
|
|
377
377
|
description: 'slice::from_raw_parts creates a slice from a raw pointer without verifying bounds, risking buffer overflows.',
|
|
@@ -55,7 +55,7 @@ const rules = [
|
|
|
55
55
|
{
|
|
56
56
|
id: 'SEC-SHELL-002',
|
|
57
57
|
category: 'security',
|
|
58
|
-
severity: '
|
|
58
|
+
severity: 'high',
|
|
59
59
|
confidence: 'likely',
|
|
60
60
|
title: 'eval with Variable Input',
|
|
61
61
|
description: 'eval executes arbitrary code and is dangerous when used with user-controlled input.',
|
|
@@ -75,7 +75,7 @@ const rules = [
|
|
|
75
75
|
{
|
|
76
76
|
id: 'SEC-SHELL-003',
|
|
77
77
|
category: 'security',
|
|
78
|
-
severity: '
|
|
78
|
+
severity: 'high',
|
|
79
79
|
confidence: 'likely',
|
|
80
80
|
title: 'Pipe to Shell (curl | bash)',
|
|
81
81
|
description: 'Piping downloaded content directly to a shell executes untrusted code without inspection.',
|
|
@@ -115,7 +115,7 @@ const rules = [
|
|
|
115
115
|
{
|
|
116
116
|
id: 'SEC-SHELL-005',
|
|
117
117
|
category: 'security',
|
|
118
|
-
severity: '
|
|
118
|
+
severity: 'high',
|
|
119
119
|
confidence: 'likely',
|
|
120
120
|
title: 'Hardcoded Password in Script',
|
|
121
121
|
description: 'Passwords hardcoded in shell scripts can be read by anyone with file access.',
|
|
@@ -247,7 +247,7 @@ const rules = [
|
|
|
247
247
|
{
|
|
248
248
|
id: 'SEC-SHELL-011',
|
|
249
249
|
category: 'security',
|
|
250
|
-
severity: '
|
|
250
|
+
severity: 'high',
|
|
251
251
|
confidence: 'likely',
|
|
252
252
|
title: 'SQL Injection in Shell Script',
|
|
253
253
|
description: 'Interpolating variables into SQL commands allows SQL injection.',
|
|
@@ -267,7 +267,7 @@ const rules = [
|
|
|
267
267
|
{
|
|
268
268
|
id: 'SEC-SHELL-012',
|
|
269
269
|
category: 'security',
|
|
270
|
-
severity: '
|
|
270
|
+
severity: 'high',
|
|
271
271
|
confidence: 'likely',
|
|
272
272
|
title: 'Command Injection via Backticks with User Input',
|
|
273
273
|
description: 'Using backticks with user-controlled variables allows arbitrary command execution.',
|
|
@@ -347,7 +347,7 @@ const rules = [
|
|
|
347
347
|
{
|
|
348
348
|
id: 'SEC-SHELL-016',
|
|
349
349
|
category: 'security',
|
|
350
|
-
severity: '
|
|
350
|
+
severity: 'high',
|
|
351
351
|
confidence: 'likely',
|
|
352
352
|
title: 'SUID/SGID Bit Setting',
|
|
353
353
|
description: 'Setting SUID/SGID bits on scripts or binaries can lead to privilege escalation.',
|
|
@@ -467,7 +467,7 @@ const rules = [
|
|
|
467
467
|
{
|
|
468
468
|
id: 'SEC-SHELL-022',
|
|
469
469
|
category: 'security',
|
|
470
|
-
severity: '
|
|
470
|
+
severity: 'high',
|
|
471
471
|
confidence: 'likely',
|
|
472
472
|
title: 'Exposed AWS Credentials',
|
|
473
473
|
description: 'AWS access keys hardcoded in shell scripts can be used to compromise cloud resources.',
|
|
@@ -507,7 +507,7 @@ const rules = [
|
|
|
507
507
|
{
|
|
508
508
|
id: 'SEC-SHELL-024',
|
|
509
509
|
category: 'security',
|
|
510
|
-
severity: '
|
|
510
|
+
severity: 'high',
|
|
511
511
|
confidence: 'likely',
|
|
512
512
|
title: 'Firewall Disabled',
|
|
513
513
|
description: 'Disabling firewall rules removes a critical security layer.',
|
|
@@ -547,7 +547,7 @@ const rules = [
|
|
|
547
547
|
{
|
|
548
548
|
id: 'SEC-SHELL-026',
|
|
549
549
|
category: 'security',
|
|
550
|
-
severity: '
|
|
550
|
+
severity: 'high',
|
|
551
551
|
confidence: 'likely',
|
|
552
552
|
title: 'Obfuscated Command Execution',
|
|
553
553
|
description: 'Decoding base64 and piping to shell is a common technique to hide malicious commands.',
|
|
@@ -55,7 +55,7 @@ const rules = [
|
|
|
55
55
|
{
|
|
56
56
|
id: 'SEC-SWIFT-002',
|
|
57
57
|
category: 'security',
|
|
58
|
-
severity: '
|
|
58
|
+
severity: 'high',
|
|
59
59
|
confidence: 'likely',
|
|
60
60
|
title: 'Hardcoded API Key or Secret',
|
|
61
61
|
description: 'API keys or secrets hardcoded in source code can be extracted from compiled binaries.',
|
|
@@ -455,7 +455,7 @@ const rules = [
|
|
|
455
455
|
{
|
|
456
456
|
id: 'SEC-SWIFT-022',
|
|
457
457
|
category: 'security',
|
|
458
|
-
severity: '
|
|
458
|
+
severity: 'high',
|
|
459
459
|
confidence: 'likely',
|
|
460
460
|
title: 'Hardcoded Encryption Key',
|
|
461
461
|
description: 'Encryption keys hardcoded in source code can be extracted from the binary.',
|
|
@@ -555,7 +555,7 @@ const rules = [
|
|
|
555
555
|
{
|
|
556
556
|
id: 'SEC-SWIFT-027',
|
|
557
557
|
category: 'security',
|
|
558
|
-
severity: '
|
|
558
|
+
severity: 'high',
|
|
559
559
|
confidence: 'likely',
|
|
560
560
|
title: 'SQL Injection in SQLite',
|
|
561
561
|
description: 'String interpolation in SQLite queries allows SQL injection.',
|