ghostpatch 1.0.0

package/dist/detectors/injection.js

@@ -0,0 +1,158 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detect = detect;
+const severity_1 = require("../core/severity");
+const fingerprint_1 = require("../utils/fingerprint");
+const PATTERNS = [
+    {
+        id: 'INJ-SQL-CONCAT', name: 'SQL Injection (String Concatenation)', severity: severity_1.Severity.CRITICAL, confidence: 'high',
+        cwe: 'CWE-89', pattern: /(?:query|execute|exec|raw|prepare)\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE|DROP|UNION|ALTER)\b[^'"`]*['"`]\s*\+/i,
+        languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby', 'csharp', 'go'],
+        description: 'SQL query constructed via string concatenation with potential user input.',
+        remediation: 'Use parameterized queries or prepared statements.',
+    },
+    {
+        id: 'INJ-SQL-TEMPLATE', name: 'SQL Injection (Template Literal)', severity: severity_1.Severity.CRITICAL, confidence: 'high',
+        cwe: 'CWE-89', pattern: /(?:query|execute|exec|raw)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP)\b[^`]*\$\{/i,
+        languages: ['javascript', 'typescript'],
+        description: 'SQL query built with template literals containing interpolated values.',
+        remediation: 'Use parameterized queries or tagged template literals (e.g., sql`...`).',
+    },
+    {
+        id: 'INJ-SQL-FSTRING', name: 'SQL Injection (f-string/format)', severity: severity_1.Severity.CRITICAL, confidence: 'high',
+        cwe: 'CWE-89', pattern: /(?:execute|cursor)\s*\(\s*(?:f['"]|['"].*['"]\s*\.format\s*\(|['"].*['"]\s*%\s*)/i,
+        antiPattern: /(?:parameterize|placeholder|%s.*,\s*\(|%s.*,\s*\[)/,
+        languages: ['python'],
+        description: 'SQL query built with Python f-string or .format().',
+        remediation: 'Use parameterized queries with %s placeholders and tuple arguments.',
+    },
+    {
+        id: 'INJ-CMD-EXEC', name: 'Command Injection', severity: severity_1.Severity.CRITICAL, confidence: 'high',
+        cwe: 'CWE-78', pattern: /(?:child_process|exec|execSync|spawn|spawnSync|system|popen|subprocess)\s*[\(.]\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*\w|f['"])/i,
+        languages: ['javascript', 'typescript', 'python', 'ruby', 'php'],
+        description: 'Operating system command built with dynamic input.',
+        remediation: 'Use execFile with argument arrays. Never construct commands from user input.',
+    },
+    {
+        id: 'INJ-XSS-INNERHTML', name: 'XSS via innerHTML', severity: severity_1.Severity.HIGH, confidence: 'high',
+        cwe: 'CWE-79', pattern: /\.innerHTML\s*=\s*(?!['"](?:<br\s*\/?>|<hr\s*\/?>|<p>|<div>|<span>)['"])/,
+        languages: ['javascript', 'typescript'],
+        description: 'Setting innerHTML with potentially untrusted content.',
+        remediation: 'Use textContent for plain text, or sanitize with DOMPurify before innerHTML.',
+    },
+    {
+        id: 'INJ-XSS-DOCWRITE', name: 'XSS via document.write', severity: severity_1.Severity.HIGH, confidence: 'high',
+        cwe: 'CWE-79', pattern: /document\.write(?:ln)?\s*\(/,
+        languages: ['javascript', 'typescript'],
+        description: 'document.write() can introduce XSS vulnerabilities.',
+        remediation: 'Use DOM manipulation methods instead.',
+    },
+    {
+        id: 'INJ-XSS-REACT', name: 'XSS via dangerouslySetInnerHTML', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-79', pattern: /dangerouslySetInnerHTML/,
+        antiPattern: /(?:DOMPurify|sanitize|purify|xss|escape)/i,
+        languages: ['javascript', 'typescript'],
+        description: 'React dangerouslySetInnerHTML used without visible sanitization.',
+        remediation: 'Sanitize content with DOMPurify before using dangerouslySetInnerHTML.',
+    },
+    {
+        id: 'INJ-EVAL', name: 'Code Injection via eval()', severity: severity_1.Severity.CRITICAL, confidence: 'high',
+        cwe: 'CWE-95', pattern: /\beval\s*\(\s*(?!['"][^'"]*['"])/,
+        languages: ['javascript', 'typescript', 'python', 'php', 'ruby'],
+        description: 'eval() with dynamic input enables arbitrary code execution.',
+        remediation: 'Avoid eval(). Use JSON.parse() for data, or purpose-built parsers.',
+    },
+    {
+        id: 'INJ-LDAP', name: 'LDAP Injection', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-90', pattern: /(?:ldap|LDAP).*(?:search|bind|modify|add)\s*\(.*(?:\+\s*\w|`[^`]*\$\{|\.format|%s)/,
+        languages: ['javascript', 'typescript', 'python', 'java', 'csharp', 'php'],
+        description: 'LDAP query built with dynamic string construction.',
+        remediation: 'Escape special LDAP characters and use parameterized filters.',
+    },
+    {
+        id: 'INJ-NOSQL', name: 'NoSQL Injection', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-943', pattern: /(?:find|findOne|deleteOne|updateOne|aggregate)\s*\(\s*(?:req\.body|req\.query|req\.params|request\.\w)/,
+        languages: ['javascript', 'typescript'],
+        description: 'MongoDB query using raw user input without sanitization.',
+        remediation: 'Validate input types and use query builders. Reject $-prefixed keys.',
+    },
+    {
+        id: 'INJ-SSTI', name: 'Server-Side Template Injection', severity: severity_1.Severity.CRITICAL, confidence: 'medium',
+        cwe: 'CWE-1336', pattern: /(?:render_template_string|Template\s*\(|nunjucks\.renderString|ejs\.render)\s*\(\s*(?:req|request|input|user)/i,
+        languages: ['javascript', 'typescript', 'python'],
+        description: 'User input passed directly as template source.',
+        remediation: 'Never use user input as template source. Use data binding with template files.',
+    },
+    {
+        id: 'INJ-XPATH', name: 'XPath Injection', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-643', pattern: /(?:xpath|selectNodes?|evaluate)\s*\(.*(?:\+\s*\w|`[^`]*\$\{|\.format)/,
+        languages: ['javascript', 'typescript', 'python', 'java', 'csharp', 'php'],
+        description: 'XPath query built with dynamic input.',
+        remediation: 'Use parameterized XPath queries.',
+    },
+    {
+        id: 'INJ-HEADER', name: 'HTTP Header Injection', severity: severity_1.Severity.MEDIUM, confidence: 'medium',
+        cwe: 'CWE-113', pattern: /(?:setHeader|writeHead|header)\s*\(\s*['"][^'"]+['"]\s*,\s*(?:req\.|request\.|input|user)/i,
+        languages: ['javascript', 'typescript', 'python', 'php'],
+        description: 'HTTP header value set from user input.',
+        remediation: 'Validate and sanitize header values. Reject newline characters.',
+    },
+    {
+        id: 'INJ-REGEX', name: 'ReDoS (Regular Expression DoS)', severity: severity_1.Severity.MEDIUM, confidence: 'medium',
+        cwe: 'CWE-1333', pattern: /new\s+RegExp\s*\(\s*(?:req\.|request\.|input|user|param|query|body|arg)/i,
+        languages: ['javascript', 'typescript'],
+        description: 'Regular expression constructed from user input — ReDoS risk.',
+        remediation: 'Escape user input or use RE2 for safe regex evaluation.',
+    },
+];
+function detect(content, filePath, language) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (const pat of PATTERNS) {
+        if (!pat.languages.includes(language))
+            continue;
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (pat.pattern.test(line)) {
+                if (pat.antiPattern && pat.antiPattern.test(line))
+                    continue;
+                // Check surrounding context for anti-patterns
+                if (pat.antiPattern) {
+                    const contextStart = Math.max(0, i - 3);
+                    const contextEnd = Math.min(lines.length, i + 4);
+                    const context = lines.slice(contextStart, contextEnd).join('\n');
+                    if (pat.antiPattern.test(context))
+                        continue;
+                }
+                findings.push({
+                    id: `${pat.id}-${filePath}:${i + 1}`,
+                    ruleId: pat.id,
+                    title: pat.name,
+                    description: pat.description,
+                    severity: pat.severity,
+                    confidence: pat.confidence,
+                    filePath,
+                    line: i + 1,
+                    codeSnippet: getSnippet(lines, i),
+                    cwe: pat.cwe,
+                    owasp: 'A03',
+                    remediation: pat.remediation,
+                    fingerprint: (0, fingerprint_1.generateFingerprint)(pat.id, filePath, line.trim()),
+                });
+            }
+        }
+    }
+    return findings;
+}
+function getSnippet(lines, index, context = 2) {
+    const start = Math.max(0, index - context);
+    const end = Math.min(lines.length, index + context + 1);
+    return lines.slice(start, end)
+        .map((l, i) => {
+        const lineNum = start + i + 1;
+        const marker = (start + i === index) ? '>' : ' ';
+        return `${marker} ${lineNum} | ${l}`;
+    })
+        .join('\n');
+}
+//# sourceMappingURL=injection.js.map

package/dist/detectors/injection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"injection.js","sourceRoot":"","sources":["../../src/detectors/injection.ts"],"names":[],"mappings":";;AAuHA,wBAwCC;AA/JD,+CAAqD;AACrD,sDAA2D;AAe3D,MAAM,QAAQ,GAAsB;IAClC;QACE,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,sCAAsC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM;QACnH,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,qHAAqH;QAC7I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC;QACxF,WAAW,EAAE,2EAA2E;QACxF,WAAW,EAAE,mDAAmD;KACjE;IACD;QACE,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,kCAAkC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM;QACjH,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,0FAA0F;QAClH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,WAAW,EAAE,wEAAwE;QACrF,WAAW,EAAE,yEAAyE;KACvF;IACD;QACE,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,iCAAiC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM;QAC/G,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,mFAAmF;QAC3G,WAAW,EAAE,oDAAoD;QACjE,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,WAAW,EAAE,oDAAoD;QACjE,WAAW,EAAE,qEAAqE;KACnF;IACD;QACE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM;QAC9F,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,kIAAkI;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC;QAChE,WAAW,EAAE,oDAAoD;QACjE,WAAW,EAAE,8EAA8E;KAC5F;IACD;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM;QAC/F,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,0EAA0E;QAClG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,WAAW,EAAE,uDAAuD;QACpE,WAAW,EAAE,8EAA8E;KAC5F;IACD;QACE,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM;QACnG,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,6BAA6B;QACrD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,WAAW,EAAE,qDAAqD;QAClE,WAAW,EAAE,uCAAuC;KACrD;IACD;QACE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,iCAAiC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ;QAC3G,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,yBAAyB;QACjD,WAAW,EAAE,2CAA2C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE,uEAAuE;KACrF;IACD;QACE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM;QAClG,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,kCAAkC;QAC1D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC;QAChE,WAAW,EAAE,6DAA6D;QAC1E,WAAW,EAAE,oEAAoE;KAClF;IACD;QACE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ;QACrF,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,oFAAoF;QAC5G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC;QAC1E,WAAW,EAAE,oDAAoD;QACjE,WAAW,EAAE,+DAA+D;KAC7E;IACD;QACE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ;QACvF,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,wGAAwG;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,WAAW,EAAE,0DAA0D;QACvE,WAAW,EAAE,sEAAsE;KACpF;IACD;QACE,EAAE,EAAE,UAAU,EAAE,IAAI,EAAE,gCAAgC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,QAAQ,EAAE,UAAU,EAAE,QAAQ;QACzG,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,gHAAgH;QAC1I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,WAAW,EAAE,gDAAgD;QAC7D,WAAW,EAAE,gFAAgF;KAC9F;IACD;QACE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ;QACvF,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,uEAAuE;QAChG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC;QAC1E,WAAW,EAAE,uCAAuC;QACpD,WAAW,EAAE,kCAAkC;KAChD;IACD;QACE,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ;QAChG,GAAG,EAAE,SAAS,EAAE,OAAO,EAAE,4FAA4F;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,CAAC;QACxD,WAAW,EAAE,wCAAwC;QACrD,WAAW,EAAE,iEAAiE;KAC/E;IACD;QACE,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,gCAAgC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ;QACxG,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,0EAA0E;QACpG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,WAAW,EAAE,8DAA8D;QAC3E,WAAW,EAAE,yDAAyD;KACvE;CACF,CAAC;AAEF,SAAgB,MAAM,CAAC,OAAe,EAAE,QAAgB,EAAE,QAAgB;IACxE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEhD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;oBAAE,SAAS;gBAE5D,8CAA8C;gBAC9C,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;oBACpB,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBACxC,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBACjD,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACjE,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC;wBAAE,SAAS;gBAC9C,CAAC;gBAED,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE;oBACpC,MAAM,EAAE,GAAG,CAAC,EAAE;oBACd,KAAK,EAAE,GAAG,CAAC,IAAI;oBACf,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,QAAQ,EAAE,GAAG,CAAC,QAAQ;oBACtB,UAAU,EAAE,GAAG,CAAC,UAAU;oBAC1B,QAAQ;oBACR,IAAI,EAAE,CAAC,GAAG,CAAC;oBACX,WAAW,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;oBACjC,GAAG,EAAE,GAAG,CAAC,GAAG;oBACZ,KAAK,EAAE,KAAK;oBACZ,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,WAAW,EAAE,IAAA,iCAAmB,EAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;iBAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,UAAU,CAAC,KAAe,EAAE,KAAa,EAAE,UAAkB,CAAC;IACrE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC;SAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACZ,MAAM,OAAO,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACjD,OAAO,GAAG,MAAM,IAAI,OAAO,MAAM,CAAC,EAAE,CAAC;IACvC,CAAC,CAAC;SACD,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC"}

package/dist/detectors/misconfig.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from '../core/severity';
+export declare function detect(content: string, filePath: string, language: string): Finding[];
+//# sourceMappingURL=misconfig.d.ts.map

package/dist/detectors/misconfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"misconfig.d.ts","sourceRoot":"","sources":["../../src/detectors/misconfig.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAY,MAAM,kBAAkB,CAAC;AAkHrD,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA2BrF"}

package/dist/detectors/misconfig.js

@@ -0,0 +1,153 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detect = detect;
+const severity_1 = require("../core/severity");
+const fingerprint_1 = require("../utils/fingerprint");
+const PATTERNS = [
+    {
+        id: 'CFG-DEBUG-ON', name: 'Debug Mode Enabled', severity: severity_1.Severity.MEDIUM, confidence: 'medium',
+        cwe: 'CWE-489',
+        pattern: /(?:app\.debug\s*=\s*True|DEBUG\s*=\s*True|debug\s*:\s*true|EnableDebugging|\.setDebug\(true\))/i,
+        antiPattern: /(?:process\.env|os\.environ|config\.get|if\s|\.env|test|spec)/,
+        description: 'Debug mode hardcoded as enabled.',
+        remediation: 'Use environment variable for debug mode.',
+    },
+    {
+        id: 'CFG-INSECURE-COOKIE', name: 'Insecure Cookie Configuration', severity: severity_1.Severity.MEDIUM, confidence: 'high',
+        cwe: 'CWE-614',
+        pattern: /(?:secure\s*:\s*false|httpOnly\s*:\s*false)/i,
+        description: 'Cookie configured with insecure flags.',
+        remediation: 'Set secure: true and httpOnly: true for session cookies.',
+    },
+    {
+        id: 'CFG-SAMESITE-NONE', name: 'SameSite None Cookie', severity: severity_1.Severity.MEDIUM, confidence: 'high',
+        cwe: 'CWE-1275',
+        pattern: /sameSite\s*:\s*['"]?none['"]?/i,
+        description: 'Cookie SameSite set to None allows cross-site requests.',
+        remediation: 'Use SameSite: "strict" or "lax" unless cross-site is required.',
+    },
+    {
+        id: 'CFG-MISSING-HELMET', name: 'Missing Security Headers', severity: severity_1.Severity.LOW, confidence: 'low',
+        cwe: 'CWE-693',
+        pattern: /(?:app\.listen|createServer|express\(\))/,
+        antiPattern: /(?:helmet|security.*header|Content-Security-Policy|X-Frame-Options|Strict-Transport|csp)/i,
+        description: 'Web server may lack security headers.',
+        remediation: 'Use Helmet.js or manually set CSP, HSTS, X-Frame-Options.',
+    },
+    {
+        id: 'CFG-CORS-STAR', name: 'CORS Wildcard Origin', severity: severity_1.Severity.MEDIUM, confidence: 'high',
+        cwe: 'CWE-942',
+        pattern: /(?:origin\s*:\s*(?:true|['"]?\*['"]?)|Access-Control-Allow-Origin.*\*)/,
+        description: 'CORS allows all origins.',
+        remediation: 'Restrict CORS to specific trusted origins.',
+    },
+    {
+        id: 'CFG-GRAPHQL-INTRO', name: 'GraphQL Introspection Enabled', severity: severity_1.Severity.MEDIUM, confidence: 'high',
+        cwe: 'CWE-200',
+        pattern: /introspection\s*:\s*true/,
+        description: 'GraphQL introspection enabled — schema exposed.',
+        remediation: 'Disable introspection in production.',
+    },
+    {
+        id: 'CFG-ROOT-STATIC', name: 'Static Files from Root', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-538',
+        pattern: /(?:express\.static|serveStatic)\s*\(\s*['"]\.?\/?['"]\s*\)/,
+        description: 'Serving static files from root may expose sensitive files.',
+        remediation: 'Serve static files from a dedicated public/ directory.',
+    },
+    {
+        id: 'CFG-DEFAULT-PORT', name: 'Default Debug Port', severity: severity_1.Severity.LOW, confidence: 'medium',
+        cwe: 'CWE-489',
+        pattern: /(?:--inspect|--debug|debugger.*port|debug-port)\s*(?:=\s*)?\d+/,
+        description: 'Debug port configuration found.',
+        remediation: 'Ensure debug ports are not exposed in production.',
+    },
+    {
+        id: 'CFG-PERMISSIVE-PERMS', name: 'Permissive File Permissions', severity: severity_1.Severity.MEDIUM, confidence: 'medium',
+        cwe: 'CWE-732',
+        pattern: /(?:chmod\s+(?:777|666)|0o?777|permissions?\s*[:=]\s*0o?777)/,
+        description: 'World-writable file permissions.',
+        remediation: 'Use restrictive permissions (644 for files, 755 for directories).',
+    },
+    {
+        id: 'CFG-BIND-ALL', name: 'Binding to All Interfaces', severity: severity_1.Severity.LOW, confidence: 'medium',
+        cwe: 'CWE-668',
+        pattern: /(?:listen\s*\([^)]*['"]0\.0\.0\.0['"]|host\s*[:=]\s*['"]0\.0\.0\.0['"]|INADDR_ANY)/,
+        description: 'Server binding to all network interfaces.',
+        remediation: 'Bind to 127.0.0.1 in development.',
+    },
+    {
+        id: 'CFG-STACK-TRACE', name: 'Stack Trace Exposure', severity: severity_1.Severity.MEDIUM, confidence: 'medium',
+        cwe: 'CWE-209',
+        pattern: /(?:res\.(?:send|json)\s*\(.*(?:err\.stack|error\.stack|stackTrace)|showStackError\s*:\s*true)/i,
+        description: 'Stack traces may be sent to clients.',
+        remediation: 'Log errors server-side, send generic messages to clients.',
+    },
+    {
+        id: 'CFG-BODY-NO-LIMIT', name: 'Body Parser Without Size Limit', severity: severity_1.Severity.MEDIUM, confidence: 'medium',
+        cwe: 'CWE-400',
+        pattern: /(?:bodyParser\.json\(\s*\)|express\.json\(\s*\))/,
+        antiPattern: /limit/,
+        description: 'JSON body parser without size limit.',
+        remediation: 'Set a body size limit: express.json({ limit: "100kb" }).',
+    },
+    {
+        id: 'CFG-ENV-EXPOSURE', name: 'Environment Variables Exposed', severity: severity_1.Severity.HIGH, confidence: 'high',
+        cwe: 'CWE-200',
+        pattern: /(?:res\.(?:send|json)|response\.)\s*\(\s*process\.env\s*\)/,
+        description: 'Entire process.env sent to client.',
+        remediation: 'Only send specific, non-sensitive config values.',
+    },
+    {
+        id: 'CFG-ELECTRON-NODE', name: 'Electron nodeIntegration Enabled', severity: severity_1.Severity.HIGH, confidence: 'high',
+        cwe: 'CWE-94',
+        pattern: /nodeIntegration\s*:\s*true/,
+        description: 'Electron nodeIntegration enabled — XSS leads to RCE.',
+        remediation: 'Disable nodeIntegration and use contextBridge.',
+    },
+    {
+        id: 'CFG-ELECTRON-CTX', name: 'Electron contextIsolation Disabled', severity: severity_1.Severity.HIGH, confidence: 'high',
+        cwe: 'CWE-94',
+        pattern: /contextIsolation\s*:\s*false/,
+        description: 'Electron contextIsolation disabled.',
+        remediation: 'Enable contextIsolation.',
+    },
+];
+function detect(content, filePath, language) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (const pat of PATTERNS) {
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (pat.pattern.test(line)) {
+                if (pat.antiPattern) {
+                    const cs = Math.max(0, i - 3);
+                    const ce = Math.min(lines.length, i + 4);
+                    if (pat.antiPattern.test(lines.slice(cs, ce).join('\n')))
+                        continue;
+                }
+                findings.push({
+                    id: `${pat.id}-${filePath}:${i + 1}`,
+                    ruleId: pat.id, title: pat.name, description: pat.description,
+                    severity: pat.severity, confidence: pat.confidence,
+                    filePath, line: i + 1,
+                    codeSnippet: getSnippet(lines, i),
+                    cwe: pat.cwe, owasp: 'A05',
+                    remediation: pat.remediation,
+                    fingerprint: (0, fingerprint_1.generateFingerprint)(pat.id, filePath, line.trim()),
+                });
+            }
+        }
+    }
+    return findings;
+}
+function getSnippet(lines, index, context = 2) {
+    const start = Math.max(0, index - context);
+    const end = Math.min(lines.length, index + context + 1);
+    return lines.slice(start, end).map((l, i) => {
+        const lineNum = start + i + 1;
+        const marker = (start + i === index) ? '>' : ' ';
+        return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}
+//# sourceMappingURL=misconfig.js.map

package/dist/detectors/misconfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"misconfig.js","sourceRoot":"","sources":["../../src/detectors/misconfig.ts"],"names":[],"mappings":";;AAkHA,wBA2BC;AA7ID,+CAAqD;AACrD,sDAA2D;AAE3D,MAAM,QAAQ,GAAG;IACf;QACE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAiB;QACxG,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,iGAAiG;QAC1G,WAAW,EAAE,+DAA+D;QAC5E,WAAW,EAAE,kCAAkC;QAC/C,WAAW,EAAE,0CAA0C;KACxD;IACD;QACE,EAAE,EAAE,qBAAqB,EAAE,IAAI,EAAE,+BAA+B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,MAAe;QACxH,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,8CAA8C;QACvD,WAAW,EAAE,wCAAwC;QACrD,WAAW,EAAE,0DAA0D;KACxE;IACD;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,MAAe;QAC7G,GAAG,EAAE,UAAU;QACf,OAAO,EAAE,gCAAgC;QACzC,WAAW,EAAE,yDAAyD;QACtE,WAAW,EAAE,gEAAgE;KAC9E;IACD;QACE,EAAE,EAAE,oBAAoB,EAAE,IAAI,EAAE,0BAA0B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,GAAG,EAAE,UAAU,EAAE,KAAc;QAC9G,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,0CAA0C;QACnD,WAAW,EAAE,2FAA2F;QACxG,WAAW,EAAE,uCAAuC;QACpD,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,MAAe;QACzG,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,wEAAwE;QACjF,WAAW,EAAE,0BAA0B;QACvC,WAAW,EAAE,4CAA4C;KAC1D;IACD;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,+BAA+B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,MAAe;QACtH,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,0BAA0B;QACnC,WAAW,EAAE,iDAAiD;QAC9D,WAAW,EAAE,sCAAsC;KACpD;IACD;QACE,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QAC7G,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,4DAA4D;QACrE,WAAW,EAAE,4DAA4D;QACzE,WAAW,EAAE,wDAAwD;KACtE;IACD;QACE,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,GAAG,EAAE,UAAU,EAAE,QAAiB;QACzG,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,gEAAgE;QACzE,WAAW,EAAE,iCAAiC;QAC9C,WAAW,EAAE,mDAAmD;KACjE;IACD;QACE,EAAE,EAAE,sBAAsB,EAAE,IAAI,EAAE,6BAA6B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAiB;QACzH,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,6DAA6D;QACtE,WAAW,EAAE,kCAAkC;QAC/C,WAAW,EAAE,mEAAmE;KACjF;IACD;QACE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,2BAA2B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,GAAG,EAAE,UAAU,EAAE,QAAiB;QAC5G,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,oFAAoF;QAC7F,WAAW,EAAE,2CAA2C;QACxD,WAAW,EAAE,mCAAmC;KACjD;IACD;QACE,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAiB;QAC7G,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,gGAAgG;QACzG,WAAW,EAAE,sCAAsC;QACnD,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,gCAAgC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAiB;QACzH,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,kDAAkD;QAC3D,WAAW,EAAE,OAAO;QACpB,WAAW,EAAE,sCAAsC;QACnD,WAAW,EAAE,0DAA0D;KACxE;IACD;QACE,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,+BAA+B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,MAAe;QACnH,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,4DAA4D;QACrE,WAAW,EAAE,oCAAoC;QACjD,WAAW,EAAE,kDAAkD;KAChE;IACD;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,kCAAkC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,MAAe;QACvH,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,4BAA4B;QACrC,WAAW,EAAE,sDAAsD;QACnE,WAAW,EAAE,gDAAgD;KAC9D;IACD;QACE,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,oCAAoC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,MAAe;QACxH,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,8BAA8B;QACvC,WAAW,EAAE,qCAAqC;QAClD,WAAW,EAAE,0BAA0B;KACxC;CACF,CAAC;AAEF,SAAgB,MAAM,CAAC,OAAe,EAAE,QAAgB,EAAE,QAAgB;IACxE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;oBACpB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBACzC,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAAE,SAAS;gBACrE,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE;oBACpC,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC7D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU;oBAClD,QAAQ,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC;oBACrB,WAAW,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;oBACjC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK;oBAC1B,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,WAAW,EAAE,IAAA,iCAAmB,EAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;iBAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,UAAU,CAAC,KAAe,EAAE,KAAa,EAAE,OAAO,GAAG,CAAC;IAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1C,MAAM,OAAO,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACjD,OAAO,GAAG,MAAM,IAAI,OAAO,MAAM,CAAC,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC"}

package/dist/detectors/pathtraversal.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from '../core/severity';
+export declare function detect(content: string, filePath: string, language: string): Finding[];
+//# sourceMappingURL=pathtraversal.d.ts.map

package/dist/detectors/pathtraversal.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pathtraversal.d.ts","sourceRoot":"","sources":["../../src/detectors/pathtraversal.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAY,MAAM,kBAAkB,CAAC;AAkDrD,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA2BrF"}

package/dist/detectors/pathtraversal.js

@@ -0,0 +1,90 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detect = detect;
+const severity_1 = require("../core/severity");
+const fingerprint_1 = require("../utils/fingerprint");
+const PATTERNS = [
+    {
+        id: 'PATH-TRAVERSAL-FS', name: 'Path Traversal (File System)', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-22',
+        pattern: /(?:readFile|readFileSync|createReadStream|writeFile|writeFileSync|appendFile|unlink|unlinkSync|open|openSync|access|accessSync)\s*\(\s*(?:req\.|request\.|input|user|param|query|body|path\.join\s*\([^)]*req)/i,
+        description: 'File operation with user-controlled path — directory traversal risk.',
+        remediation: 'Validate paths. Use path.resolve() and verify against a base directory.',
+    },
+    {
+        id: 'PATH-TRAVERSAL-PY', name: 'Path Traversal (Python)', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-22',
+        pattern: /(?:open|os\.path\.join|pathlib\.Path|shutil\.copy|os\.rename)\s*\(\s*(?:request\.|input|user_|flask\.request|args\.get|form\.get)/i,
+        description: 'File operation with user-controlled path in Python.',
+        remediation: 'Use os.path.realpath() and verify against base directory.',
+    },
+    {
+        id: 'PATH-TRAVERSAL-JAVA', name: 'Path Traversal (Java)', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-22',
+        pattern: /(?:new\s+File|Paths\.get|FileInputStream|FileOutputStream)\s*\(\s*(?:request\.getParameter|servletRequest|param|input)/i,
+        description: 'File operation with user-controlled path in Java.',
+        remediation: 'Canonicalize path and verify it starts with the expected base directory.',
+    },
+    {
+        id: 'PATH-ZIP-SLIP', name: 'Zip Slip Vulnerability', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-22',
+        pattern: /(?:extractAll|extract\s*\(|unzip|ZipFile|tar\.extractall|tar\.extract|decompress|gunzip)\s*\(/i,
+        antiPattern: /(?:validatePath|sanitize|startsWith|normalize|realpath|abspath|canonical)/i,
+        description: 'Archive extraction without path validation — Zip Slip vulnerability.',
+        remediation: 'Validate extracted paths stay within intended directory.',
+    },
+    {
+        id: 'PATH-DOT-DOT', name: 'Directory Traversal Sequence', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-22',
+        pattern: /(?:\.\.\/|\.\.\\|%2e%2e%2f|%2e%2e\/|\.\.%2f|%2e%2e%5c)/i,
+        antiPattern: /(?:import|require|from\s+['"]|test|spec|relative)/,
+        description: 'Directory traversal sequence detected.',
+        remediation: 'Reject input containing ".." path sequences.',
+    },
+    {
+        id: 'PATH-SEND-FILE', name: 'Unsafe File Serving', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-22',
+        pattern: /(?:sendFile|send_file|download|serveFile)\s*\(\s*(?:req\.|request\.|path\.join\s*\([^)]*(?:req|param|query))/i,
+        description: 'File sent to client based on user input.',
+        remediation: 'Validate file paths and restrict to safe directories.',
+    },
+];
+function detect(content, filePath, language) {
+    const findings = [];
+    const lines = content.split('\n');
+    for (const pat of PATTERNS) {
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (pat.pattern.test(line)) {
+                if (pat.antiPattern) {
+                    const cs = Math.max(0, i - 3);
+                    const ce = Math.min(lines.length, i + 4);
+                    if (pat.antiPattern.test(lines.slice(cs, ce).join('\n')))
+                        continue;
+                }
+                findings.push({
+                    id: `${pat.id}-${filePath}:${i + 1}`,
+                    ruleId: pat.id, title: pat.name, description: pat.description,
+                    severity: pat.severity, confidence: pat.confidence,
+                    filePath, line: i + 1,
+                    codeSnippet: getSnippet(lines, i),
+                    cwe: pat.cwe, owasp: 'A01',
+                    remediation: pat.remediation,
+                    fingerprint: (0, fingerprint_1.generateFingerprint)(pat.id, filePath, line.trim()),
+                });
+            }
+        }
+    }
+    return findings;
+}
+function getSnippet(lines, index, context = 2) {
+    const start = Math.max(0, index - context);
+    const end = Math.min(lines.length, index + context + 1);
+    return lines.slice(start, end)
+        .map((l, i) => {
+        const lineNum = start + i + 1;
+        const marker = (start + i === index) ? '>' : ' ';
+        return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}
+//# sourceMappingURL=pathtraversal.js.map

package/dist/detectors/pathtraversal.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pathtraversal.js","sourceRoot":"","sources":["../../src/detectors/pathtraversal.ts"],"names":[],"mappings":";;AAkDA,wBA2BC;AA7ED,+CAAqD;AACrD,sDAA2D;AAE3D,MAAM,QAAQ,GAAG;IACf;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QACrH,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,iNAAiN;QAC1N,WAAW,EAAE,sEAAsE;QACnF,WAAW,EAAE,yEAAyE;KACvF;IACD;QACE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,yBAAyB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QAChH,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,oIAAoI;QAC7I,WAAW,EAAE,qDAAqD;QAClE,WAAW,EAAE,2DAA2D;KACzE;IACD;QACE,EAAE,EAAE,qBAAqB,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QAChH,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,yHAAyH;QAClI,WAAW,EAAE,mDAAmD;QAChE,WAAW,EAAE,0EAA0E;KACxF;IACD;QACE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,wBAAwB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QAC3G,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,gGAAgG;QACzG,WAAW,EAAE,4EAA4E;QACzF,WAAW,EAAE,sEAAsE;QACnF,WAAW,EAAE,0DAA0D;KACxE;IACD;QACE,EAAE,EAAE,cAAc,EAAE,IAAI,EAAE,8BAA8B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QAChH,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,yDAAyD;QAClE,WAAW,EAAE,mDAAmD;QAChE,WAAW,EAAE,wCAAwC;QACrD,WAAW,EAAE,8CAA8C;KAC5D;IACD;QACE,EAAE,EAAE,gBAAgB,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QACzG,GAAG,EAAE,QAAQ;QACb,OAAO,EAAE,+GAA+G;QACxH,WAAW,EAAE,0CAA0C;QACvD,WAAW,EAAE,uDAAuD;KACrE;CACF,CAAC;AAEF,SAAgB,MAAM,CAAC,OAAe,EAAE,QAAgB,EAAE,QAAgB;IACxE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;oBACpB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBACzC,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAAE,SAAS;gBACrE,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE;oBACpC,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC7D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU;oBAClD,QAAQ,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC;oBACrB,WAAW,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;oBACjC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK;oBAC1B,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,WAAW,EAAE,IAAA,iCAAmB,EAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;iBAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,UAAU,CAAC,KAAe,EAAE,KAAa,EAAE,OAAO,GAAG,CAAC;IAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC;SAC3B,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACZ,MAAM,OAAO,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACjD,OAAO,GAAG,MAAM,IAAI,OAAO,MAAM,CAAC,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAClB,CAAC"}

package/dist/detectors/prototype.d.ts

@@ -0,0 +1,3 @@
+import { Finding } from '../core/severity';
+export declare function detect(content: string, filePath: string, language: string): Finding[];
+//# sourceMappingURL=prototype.d.ts.map

package/dist/detectors/prototype.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prototype.d.ts","sourceRoot":"","sources":["../../src/detectors/prototype.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAY,MAAM,kBAAkB,CAAC;AAsCrD,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CA4BrF"}

package/dist/detectors/prototype.js

@@ -0,0 +1,79 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detect = detect;
+const severity_1 = require("../core/severity");
+const fingerprint_1 = require("../utils/fingerprint");
+const PATTERNS = [
+    {
+        id: 'PROTO-MERGE', name: 'Prototype Pollution via Deep Merge', severity: severity_1.Severity.HIGH, confidence: 'medium',
+        cwe: 'CWE-1321',
+        pattern: /(?:Object\.assign|_\.merge|_\.extend|_\.defaultsDeep|deepmerge|deep-extend|merge-deep|lodash\.merge)\s*\(/,
+        antiPattern: /(?:Object\.create\(null\)|hasOwnProperty|__proto__|prototype|constructor.*check)/i,
+        description: 'Deep merge may allow prototype pollution.',
+        remediation: 'Validate input keys. Reject __proto__, constructor, and prototype.',
+    },
+    {
+        id: 'PROTO-BRACKET', name: 'Dynamic Property Assignment', severity: severity_1.Severity.MEDIUM, confidence: 'low',
+        cwe: 'CWE-1321',
+        pattern: /\w+\s*\[\s*(?:key|prop|name|field|attr|k|p|property)\s*\]\s*=\s*(?!undefined|null|false|true|0|''|"")/,
+        antiPattern: /(?:hasOwnProperty|Object\.keys|Object\.entries|whitelist|allowlist|sanitize|__proto__|prototype|constructor)/i,
+        description: 'Dynamic property assignment without prototype pollution guard.',
+        remediation: 'Check key is not __proto__, constructor, or prototype before assignment.',
+    },
+    {
+        id: 'PROTO-JSON-PARSE', name: 'JSON.parse Without Prototype Check', severity: severity_1.Severity.LOW, confidence: 'low',
+        cwe: 'CWE-1321',
+        pattern: /JSON\.parse\s*\(\s*(?:req\.|request\.|body|input|user|data)/i,
+        antiPattern: /(?:reviver|filter|sanitize|validate|schema)/i,
+        description: 'JSON.parse of user input may contain __proto__ keys.',
+        remediation: 'Use a JSON reviver to strip __proto__ keys, or validate input schema.',
+    },
+    {
+        id: 'PROTO-RECURSIVE', name: 'Recursive Object Copy', severity: severity_1.Severity.MEDIUM, confidence: 'low',
+        cwe: 'CWE-1321',
+        pattern: /function\s+(?:deep[Cc]opy|deep[Cc]lone|deep[Mm]erge|extend|assign[Dd]eep)\s*\(/,
+        antiPattern: /(?:__proto__|prototype|constructor|hasOwnProperty|Object\.create\(null\))/i,
+        description: 'Custom deep copy/merge may be vulnerable to prototype pollution.',
+        remediation: 'Add checks for __proto__, constructor, and prototype in recursive operations.',
+    },
+];
+function detect(content, filePath, language) {
+    const findings = [];
+    if (!['javascript', 'typescript'].includes(language))
+        return findings;
+    const lines = content.split('\n');
+    for (const pat of PATTERNS) {
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            if (pat.pattern.test(line)) {
+                if (pat.antiPattern) {
+                    const cs = Math.max(0, i - 5);
+                    const ce = Math.min(lines.length, i + 6);
+                    if (pat.antiPattern.test(lines.slice(cs, ce).join('\n')))
+                        continue;
+                }
+                findings.push({
+                    id: `${pat.id}-${filePath}:${i + 1}`,
+                    ruleId: pat.id, title: pat.name, description: pat.description,
+                    severity: pat.severity, confidence: pat.confidence,
+                    filePath, line: i + 1,
+                    codeSnippet: getSnippet(lines, i),
+                    cwe: pat.cwe, owasp: 'A03',
+                    remediation: pat.remediation,
+                    fingerprint: (0, fingerprint_1.generateFingerprint)(pat.id, filePath, line.trim()),
+                });
+            }
+        }
+    }
+    return findings;
+}
+function getSnippet(lines, index, context = 2) {
+    const start = Math.max(0, index - context);
+    const end = Math.min(lines.length, index + context + 1);
+    return lines.slice(start, end).map((l, i) => {
+        const lineNum = start + i + 1;
+        const marker = (start + i === index) ? '>' : ' ';
+        return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}
+//# sourceMappingURL=prototype.js.map

package/dist/detectors/prototype.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prototype.js","sourceRoot":"","sources":["../../src/detectors/prototype.ts"],"names":[],"mappings":";;AAsCA,wBA4BC;AAlED,+CAAqD;AACrD,sDAA2D;AAE3D,MAAM,QAAQ,GAAG;IACf;QACE,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,oCAAoC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,IAAI,EAAE,UAAU,EAAE,QAAiB;QACrH,GAAG,EAAE,UAAU;QACf,OAAO,EAAE,2GAA2G;QACpH,WAAW,EAAE,mFAAmF;QAChG,WAAW,EAAE,2CAA2C;QACxD,WAAW,EAAE,oEAAoE;KAClF;IACD;QACE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE,6BAA6B,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,KAAc;QAC/G,GAAG,EAAE,UAAU;QACf,OAAO,EAAE,uGAAuG;QAChH,WAAW,EAAE,+GAA+G;QAC5H,WAAW,EAAE,gEAAgE;QAC7E,WAAW,EAAE,0EAA0E;KACxF;IACD;QACE,EAAE,EAAE,kBAAkB,EAAE,IAAI,EAAE,oCAAoC,EAAE,QAAQ,EAAE,mBAAQ,CAAC,GAAG,EAAE,UAAU,EAAE,KAAc;QACtH,GAAG,EAAE,UAAU;QACf,OAAO,EAAE,8DAA8D;QACvE,WAAW,EAAE,8CAA8C;QAC3D,WAAW,EAAE,sDAAsD;QACnE,WAAW,EAAE,uEAAuE;KACrF;IACD;QACE,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,mBAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,KAAc;QAC3G,GAAG,EAAE,UAAU;QACf,OAAO,EAAE,gFAAgF;QACzF,WAAW,EAAE,4EAA4E;QACzF,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE,+EAA+E;KAC7F;CACF,CAAC;AAEF,SAAgB,MAAM,CAAC,OAAe,EAAE,QAAgB,EAAE,QAAgB;IACxE,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,CAAC,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEtE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC3B,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;oBACpB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBAC9B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;oBACzC,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;wBAAE,SAAS;gBACrE,CAAC;gBACD,QAAQ,CAAC,IAAI,CAAC;oBACZ,EAAE,EAAE,GAAG,GAAG,CAAC,EAAE,IAAI,QAAQ,IAAI,CAAC,GAAG,CAAC,EAAE;oBACpC,MAAM,EAAE,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC7D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU;oBAClD,QAAQ,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC;oBACrB,WAAW,EAAE,UAAU,CAAC,KAAK,EAAE,CAAC,CAAC;oBACjC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,KAAK;oBAC1B,WAAW,EAAE,GAAG,CAAC,WAAW;oBAC5B,WAAW,EAAE,IAAA,iCAAmB,EAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;iBAChE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,UAAU,CAAC,KAAe,EAAE,KAAa,EAAE,OAAO,GAAG,CAAC;IAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,GAAG,OAAO,GAAG,CAAC,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,KAAK,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1C,MAAM,OAAO,GAAG,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,KAAK,GAAG,CAAC,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QACjD,OAAO,GAAG,MAAM,IAAI,OAAO,MAAM,CAAC,EAAE,CAAC;IACvC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC"}

package/dist/detectors/secrets.d.ts

@@ -0,0 +1,4 @@
+import { Finding } from '../core/severity';
+export declare function detect(content: string, filePath: string, _language: string): Finding[];
+export declare function detectSecretsOnly(content: string, filePath: string): Finding[];
+//# sourceMappingURL=secrets.d.ts.map

package/dist/detectors/secrets.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets.d.ts","sourceRoot":"","sources":["../../src/detectors/secrets.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAY,MAAM,kBAAkB,CAAC;AA+FrD,wBAAgB,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,EAAE,CA2BtF;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE,CAE9E"}