getdoorman 1.0.9 → 1.1.1

package/src/rules/security/crypto.js

@@ -259,7 +259,7 @@ export default rules;
 
 // SEC-CRY-011: Hardcoded encryption key
 rules.push({
-  id: 'SEC-CRY-011', category: 'security', severity: 'critical', confidence: 'definite',
+  id: 'SEC-CRY-011', category: 'security', severity: 'high', confidence: 'definite',
   title: 'Hardcoded encryption key or IV',
   check({ files }) {
     const findings = [];
@@ -467,7 +467,7 @@ rules.push({
 
 // SEC-CRY-021: Hardcoded salt
 rules.push({
-  id: 'SEC-CRY-021', category: 'security', severity: 'critical', confidence: 'definite',
+  id: 'SEC-CRY-021', category: 'security', severity: 'high', confidence: 'definite',
   title: 'Hardcoded salt for password hashing',
   check({ files }) {
     const findings = [];

package/src/rules/security/csharp.js

@@ -132,7 +132,7 @@ const rules = [
   {
     id: 'SEC-CS-006',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Insecure Deserialization: BinaryFormatter',
     description: 'BinaryFormatter is inherently insecure and can execute arbitrary code during deserialization.',
@@ -603,7 +603,7 @@ const rules = [
   {
     id: 'SEC-CS-035',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'CORS: Credentials with Any Origin',
     description: 'AllowCredentials with AllowAnyOrigin is a severe misconfiguration.',
@@ -731,7 +731,7 @@ const rules = [
   {
     id: 'SEC-CS-043',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'TLS Certificate Validation Disabled',
     description: 'Disabling certificate validation allows man-in-the-middle attacks.',

package/src/rules/security/csrf.js

@@ -34,7 +34,7 @@ const rules = [
 
   // SEC-CSRF-002
   {
-    id: 'SEC-CSRF-002', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-CSRF-002', category: 'security', severity: 'high', confidence: 'definite',
     title: 'CSRF token not validated on server',
     check({ files }) {
       const findings = [];

package/src/rules/security/file-upload.js

@@ -95,7 +95,7 @@ const rules = [
 
   // SEC-UPL-005
   {
-    id: 'SEC-UPL-005', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-UPL-005', category: 'security', severity: 'high', confidence: 'definite',
     title: 'Executable file upload allowed',
     check({ files }) {
       const findings = [];

package/src/rules/security/go.js

@@ -258,7 +258,7 @@ const rules = [
   {
     id: 'SEC-GO-014',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Insecure TLS: Certificate Verification Disabled',
     description: 'Setting InsecureSkipVerify to true disables TLS certificate validation, enabling MITM attacks.',
@@ -450,7 +450,7 @@ const rules = [
   {
     id: 'SEC-GO-026',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'CORS Allow Credentials with Wildcard Origin',
     description: 'Allowing credentials with wildcard origin is a severe misconfiguration enabling credential theft.',
@@ -482,7 +482,7 @@ const rules = [
   {
     id: 'SEC-GO-028',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'JWT None Algorithm Accepted',
     description: 'Not validating the JWT signing method allows attackers to use the "none" algorithm to forge tokens.',

package/src/rules/security/misconfiguration.js

@@ -59,7 +59,7 @@ const rules = [
   {
     id: 'SEC-MISC-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Public S3 bucket configuration detected',
     check({ files }) {
@@ -82,7 +82,7 @@ const rules = [
   {
     id: 'SEC-MISC-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Database bound to all network interfaces',
     check({ files }) {
@@ -268,7 +268,7 @@ const rules = [
   {
     id: 'SEC-MISC-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Permissive database security rules',
     check({ files }) {
@@ -592,7 +592,7 @@ const rules = [
   {
     id: 'SEC-MISC-015',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Overly permissive IAM policy detected',
     check({ files }) {

package/src/rules/security/oauth-jwt.js

@@ -39,7 +39,7 @@ const rules = [
   {
     id: 'SEC-JWT-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'JWT Algorithm "none" Allowed',
     description:
@@ -108,7 +108,7 @@ const rules = [
   {
     id: 'SEC-JWT-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Weak JWT Signing Secret',
     description:
@@ -241,10 +241,13 @@ const rules = [
       const findings = [];
       const callbackPattern = /(?:\/callback|\/oauth\/callback|\/auth\/callback)/;
       const tokenExchange = /(?:getToken|requestToken|exchangeCode|code.*token|grant_type.*authorization_code)/;
+      // Check if ANY file in the project validates OAuth state (cross-file check)
+      const projectHasStateValidation = [...files.values()].some(c => /(?:state|csrf|nonce).*(?:verify|validate|check|compare|match|===)/i.test(c));
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (!isJS(path)) continue;
         if (callbackPattern.test(content) && tokenExchange.test(content)) {
+          if (projectHasStateValidation) continue; // State is validated somewhere in the project
           if (!/(?:state|csrf|nonce)/.test(content)) {
             findings.push({
               ruleId: this.id,

package/src/rules/security/prototype-pollution.js

@@ -39,7 +39,7 @@ const rules = [
   {
     id: 'SEC-PP-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Direct __proto__ Property Access',
     description:
@@ -108,7 +108,7 @@ const rules = [
   {
     id: 'SEC-PP-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Constructor Prototype Access Pattern',
     description:

package/src/rules/security/rate-limiting.js

@@ -30,7 +30,7 @@ const rules = [
 
   // SEC-RL-002
   {
-    id: 'SEC-RL-002', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-RL-002', category: 'security', severity: 'high', confidence: 'definite',
     title: 'No rate limiting on login endpoint',
     check({ files, stack }) {
       const findings = [];

package/src/rules/security/rust.js

@@ -274,7 +274,7 @@ const rules = [
   {
     id: 'SEC-RS-015',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'TLS Certificate Validation Disabled',
     description: 'Disabling TLS certificate validation allows man-in-the-middle attacks.',
@@ -290,7 +290,7 @@ const rules = [
   {
     id: 'SEC-RS-016',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'TLS Hostname Validation Disabled',
     description: 'Disabling hostname validation in TLS allows certificate substitution attacks.',
@@ -549,7 +549,7 @@ const rules = [
   {
     id: 'SEC-RS-032',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Hardcoded Private Key',
     description: 'Private keys embedded in source code can be extracted and used to impersonate the service.',

package/src/rules/security/ssrf.js

@@ -96,7 +96,7 @@ const rules = [
   {
     id: 'SEC-SSRF-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Cloud Metadata Endpoint URL in Code',
     description:
@@ -105,14 +105,18 @@ const rules = [
     check({ files }) {
       const findings = [];
       const pattern = /169\.254\.169\.254|metadata\.google\.internal|metadata\.azure\.com/;
-      const blocklistContext = /block|deny|forbidden|not.?allowed|invalid|reject|blacklist|safelist|denylist|disallow|banned|BLOCKED/i;
+      const safeContext = /block|deny|forbidden|not.?allowed|invalid|reject|blacklist|safelist|denylist|disallow|banned|BLOCKED|isAllowed|validate|security|guard|check|filter|protect/i;
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (isJS(path)) {
           const lines = content.split('\n');
           for (let i = 0; i < lines.length; i++) {
-            if (pattern.test(lines[i]) && !blocklistContext.test(lines[i])) {
-              findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, confidence: this.confidence, file: path, line: i + 1, fix: this.fix });
+            if (pattern.test(lines[i])) {
+              // Check ±5 lines for security/validation context
+              const ctx = lines.slice(Math.max(0, i - 5), i + 5).join(' ');
+              if (!safeContext.test(ctx)) {
+                findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, confidence: this.confidence, file: path, line: i + 1, fix: this.fix });
+              }
             }
           }
         }

package/src/rules/security/supply-chain-advanced.js

@@ -40,7 +40,7 @@ const rules = [
   {
     id: 'SEC-SCA-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Postinstall Script Executes Binary or Shell Command',
     description:
@@ -77,7 +77,7 @@ const rules = [
   {
     id: 'SEC-SCA-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Install Hook Downloads and Executes Remote Code',
     description:

package/src/rules/security/xss.js

@@ -230,7 +230,7 @@ const rules = [
   {
     id: 'SEC-XSS-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'javascript: protocol in href/src attributes',
     check({ files }) {
@@ -498,7 +498,7 @@ const rules = [
     },
   },
   // SEC-XSS-013: Server-side reflected XSS via res.send/res.write
-  { id: 'SEC-XSS-013', category: 'security', severity: 'critical', confidence: 'definite', title: 'Server-Side Reflected XSS via res.send()',
+  { id: 'SEC-XSS-013', category: 'security', severity: 'high', confidence: 'definite', title: 'Server-Side Reflected XSS via res.send()',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {

package/src/simple-checks.js

@@ -0,0 +1,257 @@
+/**
+ * Doorman Simple Checks — 10 things that matter, zero false positives.
+ * Each check returns { pass: boolean, message: string, file?: string, line?: number }
+ */
+
+const CHECKS = [
+  {
+    id: 'leaked-keys',
+    name: 'Leaked API Keys',
+    icon: '🔑',
+    pass: 'No leaked API keys found',
+    fail: 'API key hardcoded in source code',
+    check(files) {
+      const patterns = [
+        { name: 'AWS Access Key', regex: /(?:^|[^A-Z0-9])AKIA[0-9A-Z]{16}(?:[^A-Z0-9]|$)/ },
+        { name: 'Stripe Secret Key', regex: /sk_live_[0-9a-zA-Z]{24,}/ },
+        { name: 'OpenAI API Key', regex: /sk-[a-zA-Z0-9]{20,}T3BlbkFJ/ },
+        { name: 'Anthropic API Key', regex: /sk-ant-[a-zA-Z0-9-]{20,}/ },
+        { name: 'GitHub Token', regex: /ghp_[0-9a-zA-Z]{36}/ },
+        { name: 'Supabase Service Key', regex: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]{50,}/ },
+        { name: 'Google API Key', regex: /AIza[0-9A-Za-z_-]{35}/ },
+        { name: 'Slack Token', regex: /xoxb-[0-9]{11,}-[0-9a-zA-Z]{24,}/ },
+      ];
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (fp.endsWith('.example') || fp.endsWith('.sample') || fp.endsWith('.template')) continue;
+        if (/test|spec|mock|fixture|__test__|\.test\.|\.spec\./i.test(fp)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*(\/\/|#|\*|\/\*)/.test(lines[i])) continue; // skip comments
+          for (const p of patterns) {
+            if (p.regex.test(lines[i])) {
+              findings.push({ message: `${p.name} found`, file: fp, line: i + 1 });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'env-exposed',
+    name: '.env File Exposed',
+    icon: '📄',
+    pass: '.env is safe (in .gitignore)',
+    fail: '.env file may be committed to git',
+    check(files) {
+      const hasEnv = [...files.keys()].some(f => f === '.env' || f.match(/^\.env\.[^.]+$/) && !f.endsWith('.example') && !f.endsWith('.sample'));
+      const hasGitignore = files.has('.gitignore');
+      const gitignoreContent = files.get('.gitignore') || '';
+      const envInGitignore = /^\.env$/m.test(gitignoreContent) || /^\.env\b/m.test(gitignoreContent);
+
+      if (hasEnv && !envInGitignore) {
+        return [{ message: '.env file found but not in .gitignore' }];
+      }
+      return [];
+    },
+  },
+  {
+    id: 'sql-injection',
+    name: 'SQL Injection',
+    icon: '💉',
+    pass: 'No SQL injection patterns found',
+    fail: 'SQL query built with user input',
+    check(files) {
+      const findings = [];
+      const sqlPattern = /(?:query|execute|raw)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)\b[^`]*\$\{/i;
+      for (const [fp, content] of files) {
+        if (/test|spec|mock/i.test(fp)) continue;
+        if (!fp.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php)$/)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const block = lines.slice(i, i + 3).join(' ');
+          if (sqlPattern.test(block)) {
+            findings.push({ message: 'SQL query built with template literal', file: fp, line: i + 1 });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'no-error-handling',
+    name: 'Missing Error Handling',
+    icon: '💥',
+    pass: 'API routes have error handling',
+    fail: 'API route will crash on error',
+    check(files) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (/test|spec|mock/i.test(fp)) continue;
+        if (!fp.match(/\.(js|ts|jsx|tsx)$/)) continue;
+        if (!fp.match(/api|route|handler|controller/i)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\b/.test(lines[i])) {
+            const body = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+            if (!/try\s*\{|\.catch\s*\(/.test(body)) {
+              findings.push({ message: `${fp.split('/').pop()} has no error handling`, file: fp, line: i + 1 });
+              break; // one per file
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'hardcoded-secrets',
+    name: 'Hardcoded Secrets',
+    icon: '🔒',
+    pass: 'No hardcoded passwords or secrets',
+    fail: 'Password or secret hardcoded in source',
+    check(files) {
+      const findings = [];
+      const pattern = /(?:password|passwd|pwd|secret|secret_key|jwt_secret)\s*[:=]\s*['"][^'"]{8,}['"]/i;
+      for (const [fp, content] of files) {
+        if (/test|spec|mock|example|sample|\.env/i.test(fp)) continue;
+        if (!fp.match(/\.(js|ts|jsx|tsx|py|rb|go|java|php|yml|yaml|json)$/)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*(\/\/|#|\*|\/\*)/.test(lines[i])) continue;
+          if (pattern.test(lines[i]) && !/process\.env|os\.environ|ENV\[|config\.|getenv/i.test(lines[i])) {
+            findings.push({ message: 'Hardcoded secret', file: fp, line: i + 1 });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'eval-danger',
+    name: 'Code Execution',
+    icon: '⚠️',
+    pass: 'No dangerous eval() or exec() calls',
+    fail: 'eval() or exec() with dynamic input',
+    check(files) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (/test|spec|mock/i.test(fp)) continue;
+        if (!fp.match(/\.(js|ts|jsx|tsx)$/)) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/^\s*(\/\/|#|\*|\/\*)/.test(lines[i])) continue;
+          // Only flag eval() with variable input, not eval('literal')
+          if (/\beval\s*\(\s*(?!['"`])/.test(lines[i]) || /new\s+Function\s*\(\s*(?!['"`])/.test(lines[i])) {
+            findings.push({ message: 'eval() with dynamic input', file: fp, line: i + 1 });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'ai-cost-waste',
+    name: 'AI Cost Waste',
+    icon: '💰',
+    pass: 'AI API calls look efficient',
+    fail: 'AI API called without caching or limits',
+    check(files) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (/test|spec|mock/i.test(fp)) continue;
+        if (!fp.match(/\.(js|ts|jsx|tsx)$/)) continue;
+        // Check for AI API calls without max_tokens
+        if (/openai|anthropic|chat\.completions\.create|messages\.create/i.test(content)) {
+          if (!/max_tokens|maxTokens|max_output_tokens/i.test(content)) {
+            findings.push({ message: 'AI API call without token limit', file: fp });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'debug-in-prod',
+    name: 'Debug Code Left In',
+    icon: '🐛',
+    pass: 'No debug code in production files',
+    fail: 'console.log or debug code left in',
+    check(files) {
+      const findings = [];
+      let count = 0;
+      for (const [fp, content] of files) {
+        if (/test|spec|mock/i.test(fp)) continue;
+        if (!fp.match(/\.(js|ts|jsx|tsx)$/)) continue;
+        if (fp.includes('logger') || fp.includes('debug') || fp.includes('config')) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/console\.log\(/.test(lines[i]) && !/\/\//.test(lines[i].split('console')[0])) {
+            count++;
+            if (count <= 3) findings.push({ message: 'console.log left in code', file: fp, line: i + 1 });
+          }
+        }
+      }
+      if (count > 3) findings.push({ message: `...and ${count - 3} more console.log calls` });
+      return findings;
+    },
+  },
+  {
+    id: 'open-database',
+    name: 'Database Security',
+    icon: '🗄️',
+    pass: 'Database configuration looks secure',
+    fail: 'Database may be publicly accessible',
+    check(files) {
+      const findings = [];
+      for (const [fp, content] of files) {
+        if (/test|spec|mock/i.test(fp)) continue;
+        // MongoDB without auth
+        if (/mongodb:\/\/(?:localhost|127\.0\.0\.1|0\.0\.0\.0)(?::\d+)?\/\w+['"]/.test(content) && !/authSource|user.*password|mongodb\+srv/i.test(content)) {
+          findings.push({ message: 'MongoDB connection without authentication', file: fp });
+        }
+        // Binding to all interfaces
+        if (/\.listen\(\s*\d+\s*,\s*['"]0\.0\.0\.0['"]/.test(content)) {
+          findings.push({ message: 'Server bound to all network interfaces (0.0.0.0)', file: fp });
+        }
+      }
+      return findings;
+    },
+  },
+  {
+    id: 'outdated-deps',
+    name: 'Dangerous Dependencies',
+    icon: '📦',
+    pass: 'No known vulnerable packages',
+    fail: 'Package with known security issue',
+    check(files) {
+      const findings = [];
+      const dangerous = {
+        'event-stream': 'Compromised package — cryptocurrency theft (2018)',
+        'flatmap-stream': 'Malicious package — injected into event-stream',
+        'ua-parser-js': 'Versions <0.7.31 — cryptocurrency miner injected',
+        'colors': 'v1.4.1+ — intentional sabotage (infinite loop)',
+        'faker': 'v6+ — intentional sabotage (random data)',
+        'node-ipc': 'v10.1.1+ — intentional destructive code',
+        'node-serialize': 'All versions — RCE via deserialization',
+        'serialize-to-js': 'RCE via deserialization',
+      };
+      const pkgJson = files.get('package.json');
+      if (pkgJson) {
+        try {
+          const pkg = JSON.parse(pkgJson);
+          const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+          for (const [name, version] of Object.entries(allDeps)) {
+            if (dangerous[name]) {
+              findings.push({ message: `${name}: ${dangerous[name]}`, file: 'package.json' });
+            }
+          }
+        } catch {}
+      }
+      return findings;
+    },
+  },
+];
+
+export default CHECKS;

package/src/simple-reporter.js

@@ -0,0 +1,60 @@
+import chalk from 'chalk';
+import CHECKS from './simple-checks.js';
+
+/**
+ * Run all simple checks and print clean output.
+ * Returns { passed, failed, issues }
+ */
+export function runSimpleChecks(files) {
+  const results = [];
+
+  for (const check of CHECKS) {
+    const findings = check.check(files);
+    results.push({
+      ...check,
+      findings,
+      passed: findings.length === 0,
+    });
+  }
+
+  return results;
+}
+
+export function printSimpleReport(results) {
+  console.log('');
+  console.log(chalk.bold('  Doorman'));
+  console.log('');
+
+  let passCount = 0;
+  let failCount = 0;
+  const issues = [];
+
+  for (const r of results) {
+    if (r.passed) {
+      passCount++;
+      console.log(chalk.green(`  ✓ ${r.name}`));
+    } else {
+      failCount++;
+      console.log(chalk.red(`  ✗ ${r.name}`));
+      for (const f of r.findings.slice(0, 3)) {
+        const loc = f.file ? chalk.gray(` — ${f.file}${f.line ? ':' + f.line : ''}`) : '';
+        console.log(chalk.gray(`    ${f.message}${loc}`));
+        issues.push(`${r.name}: ${f.message}${f.file ? ' in ' + f.file + (f.line ? ':' + f.line : '') : ''}`);
+      }
+      if (r.findings.length > 3) {
+        console.log(chalk.gray(`    ...and ${r.findings.length - 3} more`));
+      }
+    }
+  }
+
+  console.log('');
+  if (failCount === 0) {
+    console.log(chalk.green.bold('  All clear. Ship it.'));
+  } else {
+    console.log(chalk.yellow(`  ${failCount} issue${failCount === 1 ? '' : 's'} to fix before shipping.`));
+    console.log(chalk.gray('  Run `npx getdoorman fix` to generate a prompt for Claude/Codex.'));
+  }
+  console.log('');
+
+  return { passCount, failCount, issues };
+}