ghostpatch 1.0.0

package/src/detectors/dependency.ts

@@ -0,0 +1,240 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+
+export function detect(content: string, filePath: string, _language: string): Finding[] {
+  const findings: Finding[] = [];
+  const basename = path.basename(filePath);
+
+  if (basename === 'package.json') {
+    findings.push(...checkPackageJson(content, filePath));
+  } else if (basename === 'requirements.txt' || basename === 'Pipfile') {
+    findings.push(...checkPythonDeps(content, filePath));
+  } else if (basename === 'pom.xml') {
+    findings.push(...checkMavenDeps(content, filePath));
+  } else if (basename === 'go.mod') {
+    findings.push(...checkGoDeps(content, filePath));
+  } else if (basename === 'Gemfile') {
+    findings.push(...checkRubyDeps(content, filePath));
+  }
+
+  return findings;
+}
+
+function checkPackageJson(content: string, filePath: string): Finding[] {
+  const findings: Finding[] = [];
+  try {
+    const pkg = JSON.parse(content);
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+    // Check for wildcard or latest versions
+    const lines = content.split('\n');
+    for (const [name, version] of Object.entries(allDeps)) {
+      const ver = version as string;
+      if (ver === '*' || ver === 'latest' || ver === '') {
+        const lineNum = findLine(lines, name);
+        findings.push({
+          id: `DEP-WILDCARD-${filePath}:${lineNum}`,
+          ruleId: 'DEP-WILDCARD',
+          title: `Wildcard Dependency: ${name}`,
+          description: `Package "${name}" uses wildcard version "${ver}". This can introduce breaking changes or vulnerabilities.`,
+          severity: Severity.MEDIUM,
+          confidence: 'high',
+          filePath, line: lineNum,
+          codeSnippet: getSnippetFromLines(lines, lineNum - 1),
+          cwe: 'CWE-1104', owasp: 'A06',
+          remediation: 'Pin to a specific version range (e.g., ^1.2.3).',
+          fingerprint: generateFingerprint('DEP-WILDCARD', filePath, name),
+        });
+      }
+    }
+
+    // Check for known vulnerable packages
+    const knownVulnerable: Record<string, { maxSafe: string; cve: string; desc: string }> = {
+      'lodash': { maxSafe: '4.17.21', cve: 'CVE-2021-23337', desc: 'Prototype pollution in lodash' },
+      'minimist': { maxSafe: '1.2.6', cve: 'CVE-2021-44906', desc: 'Prototype pollution in minimist' },
+      'node-fetch': { maxSafe: '2.6.7', cve: 'CVE-2022-0235', desc: 'Exposure of sensitive information' },
+      'express': { maxSafe: '4.18.2', cve: 'CVE-2024-29041', desc: 'Open redirect in express' },
+      'axios': { maxSafe: '1.6.0', cve: 'CVE-2023-45857', desc: 'CSRF in axios' },
+      'jsonwebtoken': { maxSafe: '9.0.0', cve: 'CVE-2022-23529', desc: 'Insecure default algorithm' },
+    };
+
+    for (const [name, info] of Object.entries(knownVulnerable)) {
+      if (allDeps[name]) {
+        const lineNum = findLine(lines, name);
+        findings.push({
+          id: `DEP-VULN-${name}-${filePath}:${lineNum}`,
+          ruleId: 'DEP-KNOWN-VULN',
+          title: `Potentially Vulnerable: ${name}`,
+          description: `${info.desc} (${info.cve}). Check if version is below ${info.maxSafe}.`,
+          severity: Severity.MEDIUM,
+          confidence: 'low',
+          filePath, line: lineNum,
+          codeSnippet: getSnippetFromLines(lines, lineNum - 1),
+          cwe: 'CWE-1035', owasp: 'A06',
+          remediation: `Update ${name} to version ${info.maxSafe} or later.`,
+          fingerprint: generateFingerprint('DEP-KNOWN-VULN', filePath, name),
+        });
+      }
+    }
+  } catch {
+    // Invalid JSON — skip
+  }
+  return findings;
+}
+
+function checkPythonDeps(content: string, filePath: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+  const knownVuln: Record<string, string> = {
+    'django': 'CVE-2023-46695',
+    'flask': 'CVE-2023-30861',
+    'requests': 'CVE-2023-32681',
+    'pillow': 'CVE-2023-44271',
+    'pyyaml': 'CVE-2020-14343',
+    'jinja2': 'CVE-2024-22195',
+  };
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i].trim();
+    if (!line || line.startsWith('#')) continue;
+    const match = line.match(/^([a-zA-Z0-9_-]+)/);
+    if (match) {
+      const pkg = match[1].toLowerCase();
+      if (knownVuln[pkg]) {
+        findings.push({
+          id: `DEP-PY-${pkg}-${filePath}:${i + 1}`,
+          ruleId: 'DEP-PYTHON-VULN',
+          title: `Check Python Package: ${pkg}`,
+          description: `Package ${pkg} has known vulnerability ${knownVuln[pkg]}. Verify version.`,
+          severity: Severity.MEDIUM, confidence: 'low',
+          filePath, line: i + 1,
+          codeSnippet: getSnippetFromLines(lines, i),
+          cwe: 'CWE-1035', owasp: 'A06',
+          remediation: `Update ${pkg} to the latest patched version.`,
+          fingerprint: generateFingerprint('DEP-PYTHON-VULN', filePath, pkg),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function checkMavenDeps(content: string, filePath: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+  const knownVuln = ['log4j', 'commons-collections', 'struts', 'spring-core'];
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pkg of knownVuln) {
+      if (line.includes(pkg)) {
+        findings.push({
+          id: `DEP-MAVEN-${pkg}-${filePath}:${i + 1}`,
+          ruleId: 'DEP-MAVEN-VULN',
+          title: `Check Maven Dependency: ${pkg}`,
+          description: `Package ${pkg} has a history of critical vulnerabilities. Verify version.`,
+          severity: Severity.MEDIUM, confidence: 'low',
+          filePath, line: i + 1,
+          codeSnippet: getSnippetFromLines(lines, i),
+          cwe: 'CWE-1035', owasp: 'A06',
+          remediation: `Update ${pkg} to the latest patched version.`,
+          fingerprint: generateFingerprint('DEP-MAVEN-VULN', filePath, pkg),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function checkGoDeps(content: string, filePath: string): Finding[] {
+  return []; // Go module checking would require network access
+}
+
+function checkRubyDeps(content: string, filePath: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+  const knownVuln = ['rails', 'rack', 'actionpack', 'activesupport'];
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    for (const pkg of knownVuln) {
+      if (line.includes(`'${pkg}'`) || line.includes(`"${pkg}"`)) {
+        findings.push({
+          id: `DEP-RUBY-${pkg}-${filePath}:${i + 1}`,
+          ruleId: 'DEP-RUBY-VULN',
+          title: `Check Ruby Gem: ${pkg}`,
+          description: `Gem ${pkg} has known vulnerabilities. Verify version.`,
+          severity: Severity.MEDIUM, confidence: 'low',
+          filePath, line: i + 1,
+          codeSnippet: getSnippetFromLines(lines, i),
+          cwe: 'CWE-1035', owasp: 'A06',
+          remediation: `Update ${pkg} to the latest patched version.`,
+          fingerprint: generateFingerprint('DEP-RUBY-VULN', filePath, pkg),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+export function runNpmAudit(projectDir: string): Finding[] {
+  const findings: Finding[] = [];
+  try {
+    const lockPath = path.join(projectDir, 'package-lock.json');
+    if (!fs.existsSync(lockPath)) return findings;
+
+    const result = execSync('npm audit --json 2>/dev/null', {
+      cwd: projectDir,
+      timeout: 30000,
+      encoding: 'utf-8',
+    });
+
+    const audit = JSON.parse(result);
+    if (audit.vulnerabilities) {
+      for (const [name, info] of Object.entries(audit.vulnerabilities) as [string, any][]) {
+        const severity = info.severity === 'critical' ? Severity.CRITICAL
+          : info.severity === 'high' ? Severity.HIGH
+          : info.severity === 'moderate' ? Severity.MEDIUM
+          : Severity.LOW;
+
+        findings.push({
+          id: `NPM-AUDIT-${name}`,
+          ruleId: 'DEP-NPM-AUDIT',
+          title: `Vulnerable Package: ${name}`,
+          description: `${info.via?.[0]?.title || 'Known vulnerability'} in ${name}@${info.range || 'unknown'}`,
+          severity, confidence: 'high',
+          filePath: path.join(projectDir, 'package.json'),
+          line: 1,
+          codeSnippet: `${name}: ${info.range || 'unknown version'}`,
+          cwe: info.via?.[0]?.cwe?.[0] || 'CWE-1035',
+          owasp: 'A06',
+          remediation: info.fixAvailable ? `Run: npm audit fix` : `Update ${name} manually.`,
+          fingerprint: generateFingerprint('DEP-NPM-AUDIT', name, info.range || ''),
+        });
+      }
+    }
+  } catch {
+    // npm audit failed or not available
+  }
+  return findings;
+}
+
+function findLine(lines: string[], searchTerm: string): number {
+  for (let i = 0; i < lines.length; i++) {
+    if (lines[i].includes(searchTerm)) return i + 1;
+  }
+  return 1;
+}
+
+function getSnippetFromLines(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = (start + i === index) ? '>' : ' ';
+    return `${marker} ${lineNum} | ${l}`;
+  }).join('\n');
+}

package/src/detectors/deserialize.ts

@@ -0,0 +1,106 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'DESER-JS', name: 'Insecure Deserialization (JS)', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['javascript', 'typescript'],
+    pattern: /(?:serialize|node-serialize|funcster|cryo)\s*\.\s*(?:unserialize|parse|deserialize)\s*\(/i,
+    description: 'Node.js deserialization of untrusted data can lead to RCE.',
+    remediation: 'Avoid native serialization. Use JSON for data exchange.',
+  },
+  {
+    id: 'DESER-YAML-JS', name: 'Unsafe YAML Loading (JS)', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['javascript', 'typescript'],
+    pattern: /js-yaml\.load\s*\(/,
+    antiPattern: /(?:safeLoad|schema.*SAFE|JSON_SCHEMA|FAILSAFE)/i,
+    description: 'js-yaml.load() without safe schema can execute code.',
+    remediation: 'Use yaml.load(data, { schema: SAFE_SCHEMA }) or yaml.safeLoad().',
+  },
+  {
+    id: 'DESER-PICKLE', name: 'Insecure Deserialization (Python pickle)', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['python'],
+    pattern: /(?:pickle\.loads?|cPickle\.loads?|shelve\.open|dill\.loads?)\s*\(/,
+    description: 'Python pickle deserialization enables arbitrary code execution.',
+    remediation: 'Avoid pickle for untrusted data. Use JSON or protocol buffers.',
+  },
+  {
+    id: 'DESER-YAML-PY', name: 'Unsafe YAML Loading (Python)', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['python'],
+    pattern: /yaml\.(?:load|unsafe_load)\s*\(/,
+    antiPattern: /(?:safe_load|SafeLoader|Loader\s*=\s*(?:yaml\.)?SafeLoader)/,
+    description: 'yaml.load() without SafeLoader enables code execution.',
+    remediation: 'Use yaml.safe_load() or yaml.load(data, Loader=SafeLoader).',
+  },
+  {
+    id: 'DESER-JAVA', name: 'Insecure Deserialization (Java)', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['java', 'kotlin'],
+    pattern: /(?:ObjectInputStream|readObject\s*\(|XMLDecoder|XStream|Kryo\.readObject|Hessian)\s*[\.(]/,
+    antiPattern: /(?:ObjectInputFilter|whitelist|allowlist|resolveClass)/i,
+    description: 'Java native deserialization enables RCE.',
+    remediation: 'Use allowlist-based ObjectInputFilter or avoid native serialization.',
+  },
+  {
+    id: 'DESER-PHP', name: 'Insecure Deserialization (PHP)', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['php'],
+    pattern: /(?:unserialize|phpunserialize)\s*\(\s*\$/,
+    description: 'PHP unserialize() with user input enables object injection.',
+    remediation: 'Use json_decode() instead. If using unserialize, set allowed_classes.',
+  },
+  {
+    id: 'DESER-RUBY', name: 'Insecure Deserialization (Ruby)', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['ruby'],
+    pattern: /(?:Marshal\.load|YAML\.load|Psych\.load)\s*\(/,
+    antiPattern: /(?:safe_load|permitted_classes)/i,
+    description: 'Ruby deserialization of untrusted data.',
+    remediation: 'Use YAML.safe_load or JSON.parse instead.',
+  },
+  {
+    id: 'DESER-DOTNET', name: 'Insecure Deserialization (.NET)', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-502', languages: ['csharp'],
+    pattern: /(?:BinaryFormatter|SoapFormatter|NetDataContractSerializer|ObjectStateFormatter|LosFormatter)\.Deserialize\s*\(/,
+    description: '.NET deserialization with unsafe formatters.',
+    remediation: 'Use System.Text.Json or Newtonsoft.Json instead.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    if (!pat.languages.includes(language)) continue;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const cs = Math.max(0, i - 3);
+          const ce = Math.min(lines.length, i + 4);
+          if (pat.antiPattern.test(lines.slice(cs, ce).join('\n'))) continue;
+        }
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id, title: pat.name, description: pat.description,
+          severity: pat.severity, confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A08',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = (start + i === index) ? '>' : ' ';
+    return `${marker} ${lineNum} | ${l}`;
+  }).join('\n');
+}

package/src/detectors/injection.ts

@@ -0,0 +1,172 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+interface DetectorPattern {
+  id: string;
+  name: string;
+  severity: Severity;
+  confidence: 'high' | 'medium' | 'low';
+  cwe: string;
+  pattern: RegExp;
+  antiPattern?: RegExp;
+  languages: string[];
+  description: string;
+  remediation: string;
+}
+
+const PATTERNS: DetectorPattern[] = [
+  {
+    id: 'INJ-SQL-CONCAT', name: 'SQL Injection (String Concatenation)', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-89', pattern: /(?:query|execute|exec|raw|prepare)\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER)\b[^'"`]*['"`]\s*\+/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby', 'csharp', 'go'],
+    description: 'SQL query constructed via string concatenation with potential user input.',
+    remediation: 'Use parameterized queries or prepared statements.',
+  },
+  {
+    id: 'INJ-SQL-TEMPLATE', name: 'SQL Injection (Template Literal)', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-89', pattern: /(?:query|execute|exec|raw)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP)\b[^`]*\$\{/i,
+    languages: ['javascript', 'typescript'],
+    description: 'SQL query built with template literals containing interpolated values.',
+    remediation: 'Use parameterized queries or tagged template literals (e.g., sql`...`).',
+  },
+  {
+    id: 'INJ-SQL-FSTRING', name: 'SQL Injection (f-string/format)', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-89', pattern: /(?:execute|cursor)\s*\(\s*(?:f['"]|['"].*['"]\s*\.format\s*\(|['"].*['"]\s*%\s*)/i,
+    antiPattern: /(?:parameterize|placeholder|%s.*,\s*\(|%s.*,\s*\[)/,
+    languages: ['python'],
+    description: 'SQL query built with Python f-string or .format().',
+    remediation: 'Use parameterized queries with %s placeholders and tuple arguments.',
+  },
+  {
+    id: 'INJ-CMD-EXEC', name: 'Command Injection', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-78', pattern: /(?:child_process|exec|execSync|spawn|spawnSync|system|popen|subprocess)\s*[\(.]\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*\w|f['"])/i,
+    languages: ['javascript', 'typescript', 'python', 'ruby', 'php'],
+    description: 'Operating system command built with dynamic input.',
+    remediation: 'Use execFile with argument arrays. Never construct commands from user input.',
+  },
+  {
+    id: 'INJ-XSS-INNERHTML', name: 'XSS via innerHTML', severity: Severity.HIGH, confidence: 'high',
+    cwe: 'CWE-79', pattern: /\.innerHTML\s*=\s*(?!['"](?:<br\s*\/?>|<hr\s*\/?>|<p>|<div>|<span>)['"])/,
+    languages: ['javascript', 'typescript'],
+    description: 'Setting innerHTML with potentially untrusted content.',
+    remediation: 'Use textContent for plain text, or sanitize with DOMPurify before innerHTML.',
+  },
+  {
+    id: 'INJ-XSS-DOCWRITE', name: 'XSS via document.write', severity: Severity.HIGH, confidence: 'high',
+    cwe: 'CWE-79', pattern: /document\.write(?:ln)?\s*\(/,
+    languages: ['javascript', 'typescript'],
+    description: 'document.write() can introduce XSS vulnerabilities.',
+    remediation: 'Use DOM manipulation methods instead.',
+  },
+  {
+    id: 'INJ-XSS-REACT', name: 'XSS via dangerouslySetInnerHTML', severity: Severity.HIGH, confidence: 'medium',
+    cwe: 'CWE-79', pattern: /dangerouslySetInnerHTML/,
+    antiPattern: /(?:DOMPurify|sanitize|purify|xss|escape)/i,
+    languages: ['javascript', 'typescript'],
+    description: 'React dangerouslySetInnerHTML used without visible sanitization.',
+    remediation: 'Sanitize content with DOMPurify before using dangerouslySetInnerHTML.',
+  },
+  {
+    id: 'INJ-EVAL', name: 'Code Injection via eval()', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-95', pattern: /\beval\s*\(\s*(?!['"][^'"]*['"])/,
+    languages: ['javascript', 'typescript', 'python', 'php', 'ruby'],
+    description: 'eval() with dynamic input enables arbitrary code execution.',
+    remediation: 'Avoid eval(). Use JSON.parse() for data, or purpose-built parsers.',
+  },
+  {
+    id: 'INJ-LDAP', name: 'LDAP Injection', severity: Severity.HIGH, confidence: 'medium',
+    cwe: 'CWE-90', pattern: /(?:ldap|LDAP).*(?:search|bind|modify|add)\s*\(.*(?:\+\s*\w|`[^`]*\$\{|\.format|%s)/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'csharp', 'php'],
+    description: 'LDAP query built with dynamic string construction.',
+    remediation: 'Escape special LDAP characters and use parameterized filters.',
+  },
+  {
+    id: 'INJ-NOSQL', name: 'NoSQL Injection', severity: Severity.HIGH, confidence: 'medium',
+    cwe: 'CWE-943', pattern: /(?:find|findOne|deleteOne|updateOne|aggregate)\s*\(\s*(?:req\.body|req\.query|req\.params|request\.\w)/,
+    languages: ['javascript', 'typescript'],
+    description: 'MongoDB query using raw user input without sanitization.',
+    remediation: 'Validate input types and use query builders. Reject $-prefixed keys.',
+  },
+  {
+    id: 'INJ-SSTI', name: 'Server-Side Template Injection', severity: Severity.CRITICAL, confidence: 'medium',
+    cwe: 'CWE-1336', pattern: /(?:render_template_string|Template\s*\(|nunjucks\.renderString|ejs\.render)\s*\(\s*(?:req|request|input|user)/i,
+    languages: ['javascript', 'typescript', 'python'],
+    description: 'User input passed directly as template source.',
+    remediation: 'Never use user input as template source. Use data binding with template files.',
+  },
+  {
+    id: 'INJ-XPATH', name: 'XPath Injection', severity: Severity.HIGH, confidence: 'medium',
+    cwe: 'CWE-643', pattern: /(?:xpath|selectNodes?|evaluate)\s*\(.*(?:\+\s*\w|`[^`]*\$\{|\.format)/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'csharp', 'php'],
+    description: 'XPath query built with dynamic input.',
+    remediation: 'Use parameterized XPath queries.',
+  },
+  {
+    id: 'INJ-HEADER', name: 'HTTP Header Injection', severity: Severity.MEDIUM, confidence: 'medium',
+    cwe: 'CWE-113', pattern: /(?:setHeader|writeHead|header)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:req\.|request\.|input|user)/i,
+    languages: ['javascript', 'typescript', 'python', 'php'],
+    description: 'HTTP header value set from user input.',
+    remediation: 'Validate and sanitize header values. Reject newline characters.',
+  },
+  {
+    id: 'INJ-REGEX', name: 'ReDoS (Regular Expression DoS)', severity: Severity.MEDIUM, confidence: 'medium',
+    cwe: 'CWE-1333', pattern: /new\s+RegExp\s*\(\s*(?:req\.|request\.|input|user|param|query|body|arg)/i,
+    languages: ['javascript', 'typescript'],
+    description: 'Regular expression constructed from user input — ReDoS risk.',
+    remediation: 'Escape user input or use RE2 for safe regex evaluation.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    if (!pat.languages.includes(language)) continue;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern && pat.antiPattern.test(line)) continue;
+
+        // Check surrounding context for anti-patterns
+        if (pat.antiPattern) {
+          const contextStart = Math.max(0, i - 3);
+          const contextEnd = Math.min(lines.length, i + 4);
+          const context = lines.slice(contextStart, contextEnd).join('\n');
+          if (pat.antiPattern.test(context)) continue;
+        }
+
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id,
+          title: pat.name,
+          description: pat.description,
+          severity: pat.severity,
+          confidence: pat.confidence,
+          filePath,
+          line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe,
+          owasp: 'A03',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context: number = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = (start + i === index) ? '>' : ' ';
+      return `${marker} ${lineNum} | ${l}`;
+    })
+    .join('\n');
+}

package/src/detectors/misconfig.ts

@@ -0,0 +1,152 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'CFG-DEBUG-ON', name: 'Debug Mode Enabled', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-489',
+    pattern: /(?:app\.debug\s*=\s*True|DEBUG\s*=\s*True|debug\s*:\s*true|EnableDebugging|\.setDebug\(true\))/i,
+    antiPattern: /(?:process\.env|os\.environ|config\.get|if\s|\.env|test|spec)/,
+    description: 'Debug mode hardcoded as enabled.',
+    remediation: 'Use environment variable for debug mode.',
+  },
+  {
+    id: 'CFG-INSECURE-COOKIE', name: 'Insecure Cookie Configuration', severity: Severity.MEDIUM, confidence: 'high' as const,
+    cwe: 'CWE-614',
+    pattern: /(?:secure\s*:\s*false|httpOnly\s*:\s*false)/i,
+    description: 'Cookie configured with insecure flags.',
+    remediation: 'Set secure: true and httpOnly: true for session cookies.',
+  },
+  {
+    id: 'CFG-SAMESITE-NONE', name: 'SameSite None Cookie', severity: Severity.MEDIUM, confidence: 'high' as const,
+    cwe: 'CWE-1275',
+    pattern: /sameSite\s*:\s*['"]?none['"]?/i,
+    description: 'Cookie SameSite set to None allows cross-site requests.',
+    remediation: 'Use SameSite: "strict" or "lax" unless cross-site is required.',
+  },
+  {
+    id: 'CFG-MISSING-HELMET', name: 'Missing Security Headers', severity: Severity.LOW, confidence: 'low' as const,
+    cwe: 'CWE-693',
+    pattern: /(?:app\.listen|createServer|express\(\))/,
+    antiPattern: /(?:helmet|security.*header|Content-Security-Policy|X-Frame-Options|Strict-Transport|csp)/i,
+    description: 'Web server may lack security headers.',
+    remediation: 'Use Helmet.js or manually set CSP, HSTS, X-Frame-Options.',
+  },
+  {
+    id: 'CFG-CORS-STAR', name: 'CORS Wildcard Origin', severity: Severity.MEDIUM, confidence: 'high' as const,
+    cwe: 'CWE-942',
+    pattern: /(?:origin\s*:\s*(?:true|['"]?\*['"]?)|Access-Control-Allow-Origin.*\*)/,
+    description: 'CORS allows all origins.',
+    remediation: 'Restrict CORS to specific trusted origins.',
+  },
+  {
+    id: 'CFG-GRAPHQL-INTRO', name: 'GraphQL Introspection Enabled', severity: Severity.MEDIUM, confidence: 'high' as const,
+    cwe: 'CWE-200',
+    pattern: /introspection\s*:\s*true/,
+    description: 'GraphQL introspection enabled — schema exposed.',
+    remediation: 'Disable introspection in production.',
+  },
+  {
+    id: 'CFG-ROOT-STATIC', name: 'Static Files from Root', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-538',
+    pattern: /(?:express\.static|serveStatic)\s*\(\s*['"]\.?\/?['"]\s*\)/,
+    description: 'Serving static files from root may expose sensitive files.',
+    remediation: 'Serve static files from a dedicated public/ directory.',
+  },
+  {
+    id: 'CFG-DEFAULT-PORT', name: 'Default Debug Port', severity: Severity.LOW, confidence: 'medium' as const,
+    cwe: 'CWE-489',
+    pattern: /(?:--inspect|--debug|debugger.*port|debug-port)\s*(?:=\s*)?\d+/,
+    description: 'Debug port configuration found.',
+    remediation: 'Ensure debug ports are not exposed in production.',
+  },
+  {
+    id: 'CFG-PERMISSIVE-PERMS', name: 'Permissive File Permissions', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-732',
+    pattern: /(?:chmod\s+(?:777|666)|0o?777|permissions?\s*[:=]\s*0o?777)/,
+    description: 'World-writable file permissions.',
+    remediation: 'Use restrictive permissions (644 for files, 755 for directories).',
+  },
+  {
+    id: 'CFG-BIND-ALL', name: 'Binding to All Interfaces', severity: Severity.LOW, confidence: 'medium' as const,
+    cwe: 'CWE-668',
+    pattern: /(?:listen\s*\([^)]*['"]0\.0\.0\.0['"]|host\s*[:=]\s*['"]0\.0\.0\.0['"]|INADDR_ANY)/,
+    description: 'Server binding to all network interfaces.',
+    remediation: 'Bind to 127.0.0.1 in development.',
+  },
+  {
+    id: 'CFG-STACK-TRACE', name: 'Stack Trace Exposure', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-209',
+    pattern: /(?:res\.(?:send|json)\s*\(.*(?:err\.stack|error\.stack|stackTrace)|showStackError\s*:\s*true)/i,
+    description: 'Stack traces may be sent to clients.',
+    remediation: 'Log errors server-side, send generic messages to clients.',
+  },
+  {
+    id: 'CFG-BODY-NO-LIMIT', name: 'Body Parser Without Size Limit', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-400',
+    pattern: /(?:bodyParser\.json\(\s*\)|express\.json\(\s*\))/,
+    antiPattern: /limit/,
+    description: 'JSON body parser without size limit.',
+    remediation: 'Set a body size limit: express.json({ limit: "100kb" }).',
+  },
+  {
+    id: 'CFG-ENV-EXPOSURE', name: 'Environment Variables Exposed', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-200',
+    pattern: /(?:res\.(?:send|json)|response\.)\s*\(\s*process\.env\s*\)/,
+    description: 'Entire process.env sent to client.',
+    remediation: 'Only send specific, non-sensitive config values.',
+  },
+  {
+    id: 'CFG-ELECTRON-NODE', name: 'Electron nodeIntegration Enabled', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-94',
+    pattern: /nodeIntegration\s*:\s*true/,
+    description: 'Electron nodeIntegration enabled — XSS leads to RCE.',
+    remediation: 'Disable nodeIntegration and use contextBridge.',
+  },
+  {
+    id: 'CFG-ELECTRON-CTX', name: 'Electron contextIsolation Disabled', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-94',
+    pattern: /contextIsolation\s*:\s*false/,
+    description: 'Electron contextIsolation disabled.',
+    remediation: 'Enable contextIsolation.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const cs = Math.max(0, i - 3);
+          const ce = Math.min(lines.length, i + 4);
+          if (pat.antiPattern.test(lines.slice(cs, ce).join('\n'))) continue;
+        }
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id, title: pat.name, description: pat.description,
+          severity: pat.severity, confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A05',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end).map((l, i) => {
+    const lineNum = start + i + 1;
+    const marker = (start + i === index) ? '>' : ' ';
+    return `${marker} ${lineNum} | ${l}`;
+  }).join('\n');
+}