itworksbut 0.3.0 → 0.5.0

package/src/checks/files/path-traversal-risk.js

@@ -0,0 +1,62 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const FILE_PATH_SINK_RE =
+  /\b(?:fs\.(?:readFile|readFileSync|writeFile|writeFileSync|createReadStream|createWriteStream)|res\.sendFile|reply\.sendFile|path\.(?:join|resolve)|Bun\.file|Deno\.readTextFile)\s*\(/g;
+const REQUEST_PATH_SOURCE_RE =
+  /\breq\.(?:query|params|body)\.(?:file|path|filename|filepath|filePath)\b|\brequest\.query\b|\bsearchParams\.get\s*\(\s*["'`](?:file|path)["'`]\s*\)|\bformData\.get\s*\(\s*["'`](?:file|path)["'`]\s*\)/i;
+const GENERIC_PATH_SOURCE_RE = /\b(?:userInput|filename|filepath|filePath|pathParam)\b/i;
+const PATH_MITIGATION_RE =
+  /\b(?:path\.basename|allowlist|allowedPaths|sanitizeFilename|safeJoin|validatePath|rejectPathSeparators)\b|(?:\bnormalize\b[\s\S]{0,160}\bstartsWith\s*\()|(?:\bstartsWith\s*\([\s\S]{0,160}\bbaseDir\b)|(?:\.\.["'`][\s\S]{0,120}(?:includes|reject|throw|return))/i;
+
+export default {
+  id: "files.path-traversal-risk",
+  title: "File path operations should not trust request input",
+  category: "files",
+  severity: "critical",
+  tags: ["files", "path-traversal", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\b(?:fs\.|sendFile|path\.|Bun\.file|Deno\.readTextFile)\b/.test(content)) continue;
+
+      FILE_PATH_SINK_RE.lastIndex = 0;
+      let match;
+      while ((match = FILE_PATH_SINK_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (!hasRiskyPathSource(file, nearby)) continue;
+        if (PATH_MITIGATION_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to be used in a file path operation.",
+          file,
+          line,
+          recommendation:
+            "Normalize and validate paths, use allowlists, reject traversal sequences, and ensure resolved paths stay inside an intended base directory.",
+          heuristic: true,
+          metadata: { pattern: "user-input-file-path" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function hasRiskyPathSource(file, nearby) {
+  if (REQUEST_PATH_SOURCE_RE.test(nearby)) return true;
+  if (!GENERIC_PATH_SOURCE_RE.test(nearby)) return false;
+  return (
+    isServerOrApiFile(file) ||
+    file.startsWith("server/") ||
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/server/") ||
+    file.includes("/routes/") ||
+    file.includes("/controllers/") ||
+    file.includes("/handlers/")
+  );
+}

package/src/checks/frontend/localstorage-token.js

@@ -0,0 +1,42 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const STORAGE_TOKEN_RE =
+  /\b(?:window\.)?(localStorage|sessionStorage)\.setItem\s*\(\s*["'`]([^"'`]*(?:token|jwt|access|refresh|auth|bearer|session)[^"'`]*)["'`]/gi;
+
+export default {
+  id: "frontend.localstorage-token",
+  title: "Authentication tokens should not live in browser storage by default",
+  category: "frontend",
+  severity: "high",
+  tags: ["frontend", "auth", "xss", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/(?:localStorage|sessionStorage)\.setItem/.test(content)) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        STORAGE_TOKEN_RE.lastIndex = 0;
+        let match;
+        while ((match = STORAGE_TOKEN_RE.exec(lines[index])) !== null) {
+          findings.push({
+            message: "Authentication tokens appear to be stored in localStorage or sessionStorage.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Prefer secure, httpOnly cookies for session tokens where appropriate. If browser storage is unavoidable, minimize token lifetime and harden XSS protections.",
+            heuristic: true,
+            metadata: {
+              pattern: `${match[1]}.setItem(auth-token-key)`
+            }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/frontend/sourcemaps-production.js

@@ -0,0 +1,90 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+import { normalizeRelativePath } from "../../utils/path.js";
+
+const SOURCEMAP_CONFIG_RE =
+  /\b(?:sourcemap|productionBrowserSourceMaps)\s*:\s*true\b|\bGENERATE_SOURCEMAP\s*=\s*true\b|\bdevtool\s*:\s*["'`](?:source-map|inline-source-map|eval-source-map)["'`]/gi;
+const SOURCEMAP_DIRS = ["dist", "build", ".next", "out"];
+const MAX_SOURCEMAP_FILES = 100;
+
+export default {
+  id: "frontend.sourcemaps-production",
+  title: "Production source maps should not be served publicly by accident",
+  category: "frontend",
+  severity: "medium",
+  tags: ["frontend", "sourcemaps", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      SOURCEMAP_CONFIG_RE.lastIndex = 0;
+      let match;
+      while ((match = SOURCEMAP_CONFIG_RE.exec(content)) !== null) {
+        findings.push(sourceMapFinding(file, lineFromOffset(content, match.index), "sourcemap-config-enabled"));
+      }
+    }
+
+    const mapFiles = await collectGeneratedSourceMaps(context.rootPath);
+    for (const file of mapFiles) {
+      findings.push(sourceMapFinding(file, undefined, "generated-map-file"));
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function sourceMapFinding(file, line, pattern) {
+  return {
+    message: "Production source maps appear to be enabled or generated.",
+    file,
+    line,
+    recommendation:
+      "Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.",
+    heuristic: true,
+    metadata: {
+      pattern
+    }
+  };
+}
+
+async function collectGeneratedSourceMaps(rootPath) {
+  const results = [];
+
+  for (const directory of SOURCEMAP_DIRS) {
+    await visit(path.join(rootPath, directory), rootPath, results);
+    if (results.length >= MAX_SOURCEMAP_FILES) break;
+  }
+
+  return results.slice(0, MAX_SOURCEMAP_FILES);
+}
+
+async function visit(directory, rootPath, results) {
+  if (results.length >= MAX_SOURCEMAP_FILES) return;
+
+  let entries;
+  try {
+    entries = await fs.readdir(directory, { withFileTypes: true });
+  } catch {
+    return;
+  }
+
+  for (const entry of entries) {
+    if (results.length >= MAX_SOURCEMAP_FILES) return;
+    if (entry.name === "node_modules") continue;
+
+    const absolutePath = path.join(directory, entry.name);
+    if (entry.isDirectory()) {
+      await visit(absolutePath, rootPath, results);
+      continue;
+    }
+
+    if (entry.isFile() && entry.name.endsWith(".map")) {
+      results.push(normalizeRelativePath(path.relative(rootPath, absolutePath)));
+    }
+  }
+}

package/src/checks/index.js

@@ -5,6 +5,7 @@ import envFileTracked from "./env/env-file-tracked.js";
 import envExampleMissing from "./env/env-example-missing.js";
 import possibleSecretInCode from "./env/possible-secret-in-code.js";
 import frontendSecretExposure from "./env/frontend-secret-exposure.js";
+import secretsInLogs from "./secrets/secrets-in-logs.js";
 import lockfileMissing from "./dependencies/lockfile-missing.js";
 import multipleLockfiles from "./dependencies/multiple-lockfiles.js";
 import installScriptsRisk from "./dependencies/install-scripts-risk.js";
@@ -18,16 +19,35 @@ import expressJsonLimitMissing from "./node/express-json-limit-missing.js";
 import rateLimitMissing from "./node/rate-limit-missing.js";
 import helmetMissing from "./node/helmet-missing.js";
 import corsWildcard from "./node/cors-wildcard.js";
+import childProcessUserInput from "./node/child-process-user-input.js";
 import clientSideAuthOnly from "./web/client-side-auth-only.js";
 import dangerousInnerHtml from "./web/dangerous-inner-html.js";
 import missingOutputSanitization from "./web/missing-output-sanitization.js";
 import missingAuthOnRoutes from "./auth/missing-auth-on-routes.js";
 import idorRisk from "./auth/idor-risk.js";
+import jwtSecretWeakOrFallback from "./auth/jwt-secret-weak-or-fallback.js";
+import passwordHashingMissing from "./auth/password-hashing-missing.js";
+import missingCsrfProtection from "./auth/missing-csrf-protection.js";
+import missingMethodGuard from "./api/missing-method-guard.js";
+import massAssignmentRisk from "./api/mass-assignment-risk.js";
+import noSchemaValidation from "./api/no-schema-validation.js";
 import rawSqlInterpolation from "./database/raw-sql-interpolation.js";
 import noMigrations from "./database/no-migrations.js";
+import insecureSessionCookie from "./cookies/insecure-session-cookie.js";
+import publicExecutableUpload from "./uploads/public-executable-upload.js";
+import missingRawBody from "./webhooks/missing-raw-body.js";
+import promptInjectionRisk from "./llm/prompt-injection-risk.js";
+import sourceMapsProduction from "./frontend/sourcemaps-production.js";
+import localstorageToken from "./frontend/localstorage-token.js";
+import pathTraversalRisk from "./files/path-traversal-risk.js";
+import userControlledFetch from "./ssrf/user-controlled-fetch.js";
+import nextPublicServerCodeRisk from "./next/public-server-code-risk.js";
+import debugProduction from "./config/debug-production.js";
 import electronNodeIntegrationEnabled from "./electron/node-integration-enabled.js";
 import electronContextIsolationDisabled from "./electron/context-isolation-disabled.js";
+import electronRemoteContentWithNode from "./electron/remote-content-with-node.js";
 import tauriDangerousAllowlistOrCapabilities from "./tauri/dangerous-allowlist-or-capabilities.js";
+import tauriRemoteUrlPermissionsRisk from "./tauri/remote-url-permissions-risk.js";
 
 export default [
   gitignoreMissing,
@@ -37,6 +57,7 @@ export default [
   envExampleMissing,
   possibleSecretInCode,
   frontendSecretExposure,
+  secretsInLogs,
   lockfileMissing,
   multipleLockfiles,
   installScriptsRisk,
@@ -50,14 +71,33 @@ export default [
   rateLimitMissing,
   helmetMissing,
   corsWildcard,
+  childProcessUserInput,
   clientSideAuthOnly,
   dangerousInnerHtml,
   missingOutputSanitization,
   missingAuthOnRoutes,
   idorRisk,
+  jwtSecretWeakOrFallback,
+  passwordHashingMissing,
+  missingCsrfProtection,
+  missingMethodGuard,
+  massAssignmentRisk,
+  noSchemaValidation,
   rawSqlInterpolation,
   noMigrations,
+  insecureSessionCookie,
+  publicExecutableUpload,
+  missingRawBody,
+  promptInjectionRisk,
+  sourceMapsProduction,
+  localstorageToken,
+  pathTraversalRisk,
+  userControlledFetch,
+  nextPublicServerCodeRisk,
+  debugProduction,
   electronNodeIntegrationEnabled,
   electronContextIsolationDisabled,
-  tauriDangerousAllowlistOrCapabilities
+  electronRemoteContentWithNode,
+  tauriDangerousAllowlistOrCapabilities,
+  tauriRemoteUrlPermissionsRisk
 ];

package/src/checks/llm/prompt-injection-risk.js

@@ -0,0 +1,57 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const LLM_USAGE_RE =
+  /\b(?:openai\.chat\.completions\.create|openai\.responses\.create|anthropic\.messages\.create|generateText|streamText|ollama|langchain|aiOutput|completion|modelOutput|llmResponse)\b/i;
+const LLM_OUTPUT_RE = /\b(?:aiOutput|completion|modelOutput|llmResponse|llmResult|modelResponse)\b/i;
+const DANGEROUS_USE_RE =
+  /\b(?:eval|exec|execSync|spawn|spawnSync|db\.query|JSON\.parse|fetch)\s*\(\s*([^)\n;]+)|\bnew\s+Function\s*\(\s*([^)\n;]+)|\bprisma\.\$queryRawUnsafe\s*\(\s*([^)\n;]+)|\binnerHTML\s*=\s*([^;\n]+)|dangerouslySetInnerHTML\s*=\s*{{[\s\S]{0,200}?__html\s*:\s*([^}\n]+)|\bfs\.writeFile\s*\([^,\n]+,\s*([^)\n;]+)/gi;
+
+export default {
+  id: "llm.prompt-injection-risk",
+  title: "LLM output should not flow directly into dangerous actions",
+  category: "llm",
+  severity: "high",
+  tags: ["llm", "prompt-injection", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !LLM_USAGE_RE.test(content)) continue;
+
+      DANGEROUS_USE_RE.lastIndex = 0;
+      let match;
+      while ((match = DANGEROUS_USE_RE.exec(content)) !== null) {
+        const argument = match.slice(1).find(Boolean) || "";
+        if (!LLM_OUTPUT_RE.test(argument)) continue;
+
+        findings.push({
+          message:
+            "LLM output appears to flow into code execution, shell commands, HTML injection, database queries, file writes or network requests.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.",
+          heuristic: true,
+          metadata: {
+            pattern: classifyDangerousUse(match[0])
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function classifyDangerousUse(value) {
+  if (/\beval\b|\bFunction\b/.test(value)) return "code-execution";
+  if (/\bexec|spawn/.test(value)) return "shell-command";
+  if (/innerHTML|dangerouslySetInnerHTML/.test(value)) return "html-injection";
+  if (/query/.test(value)) return "database-query";
+  if (/writeFile/.test(value)) return "file-write";
+  if (/fetch/.test(value)) return "network-request";
+  if (/JSON\.parse/.test(value)) return "unvalidated-json-parse";
+  return "dangerous-llm-output-use";
+}

package/src/checks/next/public-server-code-risk.js

@@ -0,0 +1,64 @@
+import { hasText, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const CLIENT_DIRECTIVE_RE = /^\s*["'`]use client["'`]\s*;?/m;
+const RISKY_CLIENT_CODE_RE =
+  /\bfrom\s+["'`](?:node:)?(?:fs|path|child_process|crypto)["'`]|\brequire\s*\(\s*["'`](?:node:)?(?:fs|path|child_process|crypto)["'`]\s*\)|\bfrom\s+["'`](?:@prisma\/client|server-only|@\/lib\/(?:db|prisma)|(?:\.\.\/)+lib\/(?:db|prisma))["'`]|\brequire\s*\(\s*["'`](?:@prisma\/client|server-only|@\/lib\/(?:db|prisma)|(?:\.\.\/)+lib\/(?:db|prisma))["'`]\s*\)|\bprisma\b|\bprocess\.env\.(?:DATABASE_URL|JWT_SECRET|STRIPE_SECRET_KEY|OPENAI_API_KEY)\b/g;
+
+export default {
+  id: "next.public-server-code-risk",
+  title: "Next.js Client Components should not import server-only code",
+  category: "next",
+  severity: "high",
+  tags: ["next", "frontend", "server-only", "heuristic"],
+  run: async (context) => {
+    if (!(await isNextProject(context))) return [];
+
+    const findings = [];
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isNextClientCandidate(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !CLIENT_DIRECTIVE_RE.test(content)) continue;
+
+      RISKY_CLIENT_CODE_RE.lastIndex = 0;
+      let match;
+      while ((match = RISKY_CLIENT_CODE_RE.exec(content)) !== null) {
+        findings.push({
+          message: "A Next.js Client Component appears to import server-side code or access server-only configuration.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Move database, filesystem, secret and server-only logic into Server Components, API routes or server actions. Keep Client Components free of backend dependencies.",
+          heuristic: true,
+          metadata: { pattern: classifyRisk(match[0]) }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+async function isNextProject(context) {
+  return (
+    context.hasDependency("next") ||
+    context.hasDevDependency("next") ||
+    context.allFiles.some((file) => /^next\.config\.[cm]?[jt]s$/.test(file)) ||
+    context.allFiles.some((file) => file.startsWith("app/")) ||
+    (await hasText(context, /\bfrom\s+["'`]next\//g, { files: context.textFiles.filter((file) => /\.[cm]?[jt]sx?$/.test(file)) }))
+  );
+}
+
+function isNextClientCandidate(file) {
+  return (
+    /\.(?:js|jsx|ts|tsx)$/.test(file) &&
+    (file.startsWith("app/") || file.startsWith("components/") || file.includes("/components/"))
+  );
+}
+
+function classifyRisk(value) {
+  if (/process\.env/.test(value)) return "server-secret-env-access";
+  if (/prisma|db/.test(value)) return "database-import";
+  if (/child_process/.test(value)) return "child-process-import";
+  if (/server-only/.test(value)) return "server-only-import";
+  return "node-server-import";
+}

package/src/checks/node/child-process-user-input.js

@@ -0,0 +1,54 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const CHILD_PROCESS_RE = /\b(?:exec|execSync|spawn|spawnSync|fork)\s*\(([^;\n]*)/gi;
+const CHILD_PROCESS_IMPORT_RE = /\bchild_process\b|\bfrom\s+["'`]node:child_process["'`]|\brequire\s*\(\s*["'`](?:node:)?child_process["'`]\s*\)/i;
+const USER_INPUT_RE =
+  /\b(?:req\.(?:body|query|params)|request\.body|searchParams|process\.argv|formData|userInput|input|filename|branch|url)\b/i;
+const ALLOWLIST_RE = /\b(?:allowlist|allowed|whitelist|safeList|zod|schema|validate|validator|assertAllowed)\b/i;
+
+export default {
+  id: "node.child-process-user-input",
+  title: "Child process commands should not trust user input",
+  category: "node",
+  severity: "critical",
+  tags: ["node", "command-injection", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !CHILD_PROCESS_IMPORT_RE.test(content)) continue;
+
+      CHILD_PROCESS_RE.lastIndex = 0;
+      let match;
+      while ((match = CHILD_PROCESS_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = nearbyText(content, line, 8);
+        if (!USER_INPUT_RE.test(match[1] || nearby)) continue;
+        if (ALLOWLIST_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to flow into a child process command.",
+          file,
+          line,
+          recommendation:
+            "Avoid shell execution with user input. Use spawn with fixed command and argument arrays, validate against allowlists, and never concatenate shell strings.",
+          heuristic: true,
+          metadata: {
+            pattern: "child-process-user-input"
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/secrets/secrets-in-logs.js

@@ -0,0 +1,86 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const LOG_CALL_RE = /\b(?:console\.(?:log|error|debug|info|warn)|logger\.(?:info|debug|error|warn|trace))\s*\(([^)]*)\)/g;
+const SECRET_TERMS = [
+  "SECRET",
+  "TOKEN",
+  "KEY",
+  "PASSWORD",
+  "DATABASE_URL",
+  "PRIVATE",
+  "SERVICE_ROLE",
+  "OPENAI_API_KEY",
+  "STRIPE_SECRET_KEY",
+  "JWT_SECRET",
+  "GITHUB_TOKEN",
+  "AWS_SECRET_ACCESS_KEY"
+];
+
+export default {
+  id: "secrets.secrets-in-logs",
+  title: "Logs should not include secrets or sensitive request data",
+  category: "secrets",
+  severity: "high",
+  tags: ["secrets", "logging", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+        LOG_CALL_RE.lastIndex = 0;
+
+        let match;
+        while ((match = LOG_CALL_RE.exec(line)) !== null) {
+          const args = match[1] || "";
+          if (!containsSensitiveLogTarget(args)) continue;
+
+          findings.push({
+            message:
+              "Logging environment variables, headers, request bodies or secret-like config values may expose sensitive data.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Remove sensitive logging, mask secrets, and log only explicit non-sensitive fields.",
+            heuristic: true,
+            metadata: {
+              secretType: detectSecretType(args),
+              valueRedacted: true
+            }
+          });
+          break;
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function containsSensitiveLogTarget(value) {
+  return (
+    /\bprocess\.env(?:\.[A-Z0-9_]+)?\b/.test(value) ||
+    /\b(?:req|request)\.(?:headers|body)\b/.test(value) ||
+    /\bconfig\b/i.test(value) ||
+    SECRET_TERMS.some((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i").test(value))
+  );
+}
+
+function detectSecretType(value) {
+  const match = SECRET_TERMS.find((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i").test(value));
+  if (match) return match;
+  if (/\bprocess\.env\b/.test(value)) return "ENVIRONMENT";
+  if (/\b(?:req|request)\.headers\b/.test(value)) return "REQUEST_HEADERS";
+  if (/\b(?:req|request)\.body\b/.test(value)) return "REQUEST_BODY";
+  if (/\bconfig\b/i.test(value)) return "CONFIG";
+  return "UNKNOWN";
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/ssrf/user-controlled-fetch.js

@@ -0,0 +1,60 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, isFrontendFile, isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const HTTP_REQUEST_RE =
+  /\b(?:fetch|got|request|ky)\s*\(|\baxios\.(?:get|post|put|patch|delete|request)\s*\(|\baxios\s*\(\s*{|\bundici\.request\s*\(|\bhttps?\.get\s*\(/g;
+const USER_URL_SOURCE_RE =
+  /\breq\.(?:body|query|params)\.url\b|\bsearchParams\.get\s*\(\s*["'`]url["'`]\s*\)|\bformData\.get\s*\(\s*["'`]url["'`]\s*\)|\b(?:requestUrl|userUrl|targetUrl|webhookUrl|callbackUrl|imageUrl|avatarUrl)\b/i;
+const URL_ALLOWLIST_RE =
+  /\b(?:allowlist|allowedHosts|allowedDomains|hostname\s*(?:===|!==|==|!=)|private\s+IP|localhost\s+block|metadata\s+IP|validateUrl|isAllowedUrl|isPrivateIp|blockPrivate|blockLocalhost)\b|169\.254\.169\.254|127\.0\.0\.1|localhost/i;
+
+export default {
+  id: "ssrf.user-controlled-fetch",
+  title: "Server-side HTTP requests should not trust user-controlled URLs",
+  category: "ssrf",
+  severity: "critical",
+  tags: ["ssrf", "api", "network", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file) || isFrontendFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !isLikelyServerSide(file, content) || !/\b(?:fetch|axios|got|request|undici|http|https|ky)\b/.test(content)) continue;
+
+      HTTP_REQUEST_RE.lastIndex = 0;
+      let match;
+      while ((match = HTTP_REQUEST_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (!USER_URL_SOURCE_RE.test(nearby)) continue;
+        if (URL_ALLOWLIST_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to flow into a server-side HTTP request.",
+          file,
+          line,
+          recommendation:
+            "Use strict URL allowlists, block private/internal IP ranges including 127.0.0.1, localhost, 169.254.169.254 and RFC1918 ranges, and avoid fetching arbitrary user-provided URLs.",
+          heuristic: true,
+          metadata: { pattern: "user-controlled-server-fetch" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isLikelyServerSide(file, content) {
+  return (
+    isServerOrApiFile(file) ||
+    /^server\.[cm]?[jt]s$/.test(file) ||
+    file.startsWith("server/") ||
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/server/") ||
+    file.includes("/routes/") ||
+    file.includes("/controllers/") ||
+    /\b(?:req\.body|req\.query|req\.params|request\.json|ctx\.request|express|fastify|hono)\b/.test(content)
+  );
+}