itworksbut 0.3.0 → 0.5.0

package/src/checks/tauri/remote-url-permissions-risk.js

@@ -0,0 +1,115 @@
+import { lineFromOffset, parseJsonWithComments } from "../helpers.js";
+
+const CONFIG_FILES = ["src-tauri/tauri.conf.json", "src-tauri/tauri.conf.json5", "src-tauri/Tauri.toml"];
+const WEAK_CSP_RE =
+  /"csp"\s*:\s*(?:null|false|""|"[^"]*(?:\*|unsafe-inline|unsafe-eval)[^"]*")|csp\s*=\s*(?:false|""|"[^"]*(?:\*|unsafe-inline|unsafe-eval)[^"]*")/gi;
+const DANGEROUS_ASSET_CSP_RE = /"dangerousDisableAssetCspModification"\s*:\s*true|dangerousDisableAssetCspModification\s*=\s*true/gi;
+const BROAD_ALLOWLIST_RE = /"allowlist"\s*:\s*{[\s\S]{0,400}?"all"\s*:\s*true|"all"\s*:\s*true[\s\S]{0,120}?"(?:shell|fs|http)"/gi;
+const BROAD_PERMISSION_RE =
+  /"permissions"\s*:\s*\[[\s\S]{0,240}?["'`]\*["'`]|["'`](?:shell|fs|http):(?:\*|allow-\*|allow-all|allow-execute|allow-fetch)["'`]|["'`]fs:allow-[^"'`]*["'`][\s\S]{0,160}(?:\*\*|["'`]\*["'`]|\/)|["'`]http:allow-fetch["'`][\s\S]{0,220}(?:["'`]\*["'`]|https?:\/\/\*)/gi;
+const REMOTE_URL_RE = /"(?:devUrl|frontendDist|url)"\s*:\s*"https?:\/\/(?!localhost\b|127\.0\.0\.1\b|0\.0\.0\.0\b)[^"]+"|(?:devUrl|frontendDist|url)\s*=\s*"https?:\/\/(?!localhost\b|127\.0\.0\.1\b|0\.0\.0\.0\b)[^"]+"/gi;
+
+export default {
+  id: "tauri.remote-url-permissions-risk",
+  title: "Tauri remote URLs and permissions should be least privilege",
+  category: "tauri",
+  severity: "high",
+  tags: ["tauri", "desktop", "permissions", "heuristic"],
+  run: async (context) => {
+    if (!isTauriProject(context)) return [];
+    const findings = [];
+
+    for (const file of collectTauriFiles(context)) {
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      if (file.endsWith(".json") || file.endsWith(".json5")) {
+        inspectParsedJson(content, file, findings);
+      }
+
+      inspectRegexPattern(content, file, findings, WEAK_CSP_RE, "weak-csp");
+      inspectRegexPattern(content, file, findings, DANGEROUS_ASSET_CSP_RE, "dangerous-asset-csp");
+      inspectRegexPattern(content, file, findings, BROAD_ALLOWLIST_RE, "broad-allowlist");
+      inspectRegexPattern(content, file, findings, BROAD_PERMISSION_RE, "broad-permission");
+      inspectRegexPattern(content, file, findings, REMOTE_URL_RE, "remote-url");
+    }
+
+    return dedupe(findings).slice(0, 100);
+  }
+};
+
+function isTauriProject(context) {
+  return (
+    context.allFiles.some((file) => file.startsWith("src-tauri/")) ||
+    context.hasDependency("@tauri-apps/api") ||
+    context.hasDevDependency("@tauri-apps/cli") ||
+    context.hasDependency("@tauri-apps/cli")
+  );
+}
+
+function collectTauriFiles(context) {
+  return context.textFiles.filter((file) => {
+    return (
+      CONFIG_FILES.includes(file) ||
+      /^src-tauri\/capabilities\/[^/]+\.json$/i.test(file) ||
+      /^src-tauri\/permissions\/[^/]+\.json$/i.test(file)
+    );
+  });
+}
+
+function inspectParsedJson(content, file, findings) {
+  let parsed;
+  try {
+    parsed = parseJsonWithComments(content);
+  } catch {
+    return;
+  }
+
+  const security = parsed?.app?.security || parsed?.tauri?.security || {};
+  if (security.csp === null || security.csp === false || security.csp === "") {
+    findings.push(finding(file, lineOfKey(content, "csp"), "weak-csp"));
+  }
+  if (security.dangerousDisableAssetCspModification === true) {
+    findings.push(finding(file, lineOfKey(content, "dangerousDisableAssetCspModification"), "dangerous-asset-csp"));
+  }
+
+  const permissions = JSON.stringify(parsed?.permissions || parsed?.app?.permissions || parsed?.tauri?.allowlist || []);
+  if (/"\*"|"all":true|shell:allow-execute|fs:allow-|http:allow-fetch/.test(permissions)) {
+    findings.push(finding(file, undefined, "broad-permission"));
+  }
+}
+
+function inspectRegexPattern(content, file, findings, regex, pattern) {
+  regex.lastIndex = 0;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    findings.push(finding(file, lineFromOffset(content, match.index), pattern));
+  }
+}
+
+function finding(file, line, pattern) {
+  return {
+    message: "Tauri configuration appears to allow broad permissions, remote URLs or weak CSP settings.",
+    file,
+    line,
+    recommendation:
+      "Use least-privilege capabilities, restrict shell/fs/http permissions, avoid broad wildcards, and configure a strict CSP.",
+    heuristic: true,
+    metadata: { pattern }
+  };
+}
+
+function lineOfKey(content, key) {
+  const index = content.indexOf(`"${key}"`);
+  return index >= 0 ? lineFromOffset(content, index) : undefined;
+}
+
+function dedupe(findings) {
+  const seen = new Set();
+  return findings.filter((item) => {
+    const key = `${item.file}:${item.line || 0}:${item.metadata?.pattern || ""}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/src/checks/uploads/public-executable-upload.js

@@ -0,0 +1,63 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const PUBLIC_UPLOAD_PATH_RE = /(?:public|static|dist|build|\.next\/static)\/(?:uploads|files)/i;
+const PUBLIC_UPLOAD_PATTERNS = [
+  /multer\s*\(\s*{[\s\S]{0,500}?dest\s*:\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)["'`]/gi,
+  /\b(?:uploadDir|uploadsDir|destination)\b\s*=\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)["'`]/gi,
+  /path\.join\s*\([^)]*["'`](?:public|static|dist|build)["'`]\s*,\s*["'`](?:uploads|files)["'`]/gi,
+  /fs\.writeFile\s*\(\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)\//gi,
+  /app\.use\s*\(\s*["'`]\/(?:uploads|files)["'`]\s*,\s*express\.static\s*\(/gi,
+  /express\.static\s*\(\s*["'`](?:public|static)["'`]\s*\)/gi
+];
+const VALIDATION_RE = /\b(?:fileFilter|limits\s*:\s*{[\s\S]{0,120}?fileSize|limits\.fileSize|mimetype|allowedTypes|allowedMimeTypes)\b/i;
+
+export default {
+  id: "uploads.public-executable-upload",
+  title: "Uploads should not be stored directly in public web roots",
+  category: "uploads",
+  severity: "high",
+  tags: ["uploads", "static-files", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/(upload|multer|express\.static|writeFile|public\/|static\/)/i.test(content)) continue;
+
+      for (const regex of PUBLIC_UPLOAD_PATTERNS) {
+        regex.lastIndex = 0;
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          if (!PUBLIC_UPLOAD_PATH_RE.test(match[0]) && !/\/(?:uploads|files)/i.test(match[0])) continue;
+          const line = lineFromOffset(content, match.index);
+          const validationMissing = !VALIDATION_RE.test(nearbyText(content, line, 12));
+
+          findings.push({
+            message:
+              "Uploaded files appear to be stored in a public directory, possibly without strict file type and size validation.",
+            file,
+            line,
+            recommendation:
+              "Store uploads outside the public web root, validate MIME type and extension, enforce file size limits, and serve files through controlled routes.",
+            heuristic: true,
+            metadata: {
+              validationMissing
+            }
+          });
+          break;
+        }
+        if (findings.some((finding) => finding.file === file)) break;
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/webhooks/missing-raw-body.js

@@ -0,0 +1,82 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const PROVIDER_RE =
+  /\b(?:stripe\.webhooks\.constructEvent|github webhook signature|x-hub-signature|svix|clerk|lemon\s*squeezy|lemonsqueezy|polar|paddle|webhook signature)\b/i;
+const PARSED_BODY_SIGNATURE_RE = /\b(?:stripe\.webhooks\.)?constructEvent\s*\(\s*req\.body\b/gi;
+const RAW_BODY_RE = /\b(?:express\.raw\s*\(|bodyParser\.raw\s*\(|rawBody|req\.rawBody|buffer)\b/i;
+const GLOBAL_JSON_RE = /\bapp\.use\s*\(\s*express\.json\s*\(/i;
+const WEBHOOK_ROUTE_RE = /\bapp\.(?:post|put|patch)\s*\(\s*["'`][^"'`]*webhook/i;
+
+export default {
+  id: "webhooks.missing-raw-body",
+  title: "Signed webhooks should verify the exact raw body",
+  category: "webhooks",
+  severity: "high",
+  tags: ["webhooks", "signatures", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !PROVIDER_RE.test(content)) continue;
+
+      PARSED_BODY_SIGNATURE_RE.lastIndex = 0;
+      let match;
+      while ((match = PARSED_BODY_SIGNATURE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        if (RAW_BODY_RE.test(nearbyText(content, line, 12))) continue;
+        findings.push(webhookFinding(file, line, "parsed-body-signature-check"));
+      }
+
+      const jsonLine = firstLineMatching(content, GLOBAL_JSON_RE);
+      const routeLine = firstLineMatching(content, WEBHOOK_ROUTE_RE);
+      if (jsonLine && routeLine && jsonLine < routeLine && !RAW_BODY_RE.test(content)) {
+        findings.push(webhookFinding(file, jsonLine, "json-parser-before-webhook-route"));
+      }
+    }
+
+    return dedupe(findings).slice(0, 100);
+  }
+};
+
+function webhookFinding(file, line, pattern) {
+  return {
+    message:
+      "Webhook signature verification appears to use a parsed request body. Some providers require the exact raw body.",
+    file,
+    line,
+    recommendation:
+      "Use a raw body parser for signed webhook routes and register it before JSON parsing middleware.",
+    heuristic: true,
+    metadata: {
+      pattern
+    }
+  };
+}
+
+function firstLineMatching(content, regex) {
+  const lines = content.split(/\r?\n/);
+  for (let index = 0; index < lines.length; index += 1) {
+    regex.lastIndex = 0;
+    if (regex.test(lines[index])) return index + 1;
+  }
+  return null;
+}
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}
+
+function dedupe(findings) {
+  const seen = new Set();
+  return findings.filter((finding) => {
+    const key = `${finding.file}:${finding.line}:${finding.metadata.pattern}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/src/cli/output.js

@@ -1,11 +1,10 @@
 import gradient from 'gradient-string';
 
 export function printUsage() {
-  process.stdout.write(`ItWorksBut
+    process.stdout.write(`ItWorksBut
 
 Usage:
   itworksbut scan [options]
-  node ./bin/itworksbut.js scan [options]
 
 Options:
   --path <path>       Project path to scan. Defaults to current directory.
@@ -25,14 +24,14 @@ Options:
 }
 
 export function printVersion(version) {
-  try {
-    process.stdout.write(`${gradient.rainbow(version)}\n`);
-  } catch {
-    process.stdout.write(`${version}\n`);
-  }
+    try {
+        process.stdout.write(`${gradient.rainbow(version)}\n`);
+    } catch {
+        process.stdout.write(`${version}\n`);
+    }
 }
 
 export function printRuntimeError(error) {
-  const message = error instanceof Error ? error.message : String(error);
-  process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
 }

package/src/reporters/consoleStyle.js

@@ -7,6 +7,7 @@ const EDGY_TITLES = {
     'env.env-file-tracked': 'It works, but your .env is tracked.',
     'env.possible-secret-in-code': 'It works, but your repo may be leaking secrets.',
     'env.frontend-secret-exposure': 'It works, but your frontend env variable smells like a backend secret.',
+    'secrets.secrets-in-logs': 'It works, but your logs may be leaking secrets.',
     'git.gitignore-missing': 'It works, but your repo forgot what not to commit.',
     'git.gitignore-incomplete': 'It works, but your .gitignore has holes.',
     'git.ignored-files-tracked': 'It works, but Git is already tracking files you meant to ignore.',
@@ -19,14 +20,33 @@ const EDGY_TITLES = {
     'node.rate-limit-missing': 'It works, but your endpoints have no brakes.',
     'node.helmet-missing': 'It works, but your HTTP headers are underdressed.',
     'node.cors-wildcard': 'It works, but CORS is holding the door open.',
+    'node.child-process-user-input': 'It works, but your shell command trusts the internet.',
     'web.dangerous-inner-html': 'It works, but your frontend is injecting HTML with sharp edges.',
     'api.missing-auth-on-routes': 'It works, but this API route appears to trust strangers.',
     'api.idor-risk': 'It works, but this ID lookup may belong to someone else.',
+    'auth.jwt-secret-weak-or-fallback': 'It works, but your JWT secret has a fallback key.',
+    'auth.password-hashing-missing': 'It works, but your passwords may be stored too honestly.',
+    'auth.missing-csrf-protection': 'It works, but your browser may be submitting forms behind your back.',
+    'api.missing-method-guard': 'It works, but your API does not care how it gets called.',
+    'api.mass-assignment-risk': 'It works, but your users may be editing fields they should never touch.',
+    'api.no-schema-validation': 'It works, but your API believes whatever the request says.',
     'database.raw-sql-interpolation': 'It works, but your SQL query is one template string away from pain.',
     'database.no-migrations': 'It works, but your database schema has no paper trail.',
+    'cookies.insecure-session-cookie': 'It works, but your session cookie is dressed for localhost.',
+    'uploads.public-executable-upload': 'It works, but your uploads are sitting in the front window.',
+    'webhooks.missing-raw-body': 'It works, but your webhook signature check may be checking the wrong body.',
+    'llm.prompt-injection-risk': 'It works, but your AI output has admin energy.',
+    'frontend.sourcemaps-production': 'It works, but your source code may be shipping with the app.',
+    'frontend.localstorage-token': 'It works, but your auth token lives where XSS can read it.',
+    'files.path-traversal-risk': 'It works, but your file path may be taking requests too literally.',
+    'ssrf.user-controlled-fetch': 'It works, but your server is fetching whatever strangers ask for.',
+    'next.public-server-code-risk': 'It works, but your client component is carrying server baggage.',
+    'config.debug-production': 'It works, but production still thinks it is a dev server.',
     'electron.node-integration-enabled': 'It works, but Electron is holding the Node.js door open.',
     'electron.context-isolation-disabled': 'It works, but your renderer and backend are sharing a room.',
+    'electron.remote-content-with-node': 'It works, but Electron is letting the internet sit next to Node.js.',
     'tauri.dangerous-allowlist-or-capabilities': 'It works, but your Tauri permissions look too generous.',
+    'tauri.remote-url-permissions-risk': 'It works, but your Tauri app is trusting too much surface area.',
 };
 
 const SEVERITY_META = {
@@ -44,6 +64,8 @@ const FIX_PROMPT_ACTIONS = {
         'Move hardcoded secret material into a runtime secret store or CI secret, replace committed values with placeholders, and avoid printing secret values anywhere.',
     'env.frontend-secret-exposure':
         'Move secret-like frontend environment variables to server-side code and keep only intentionally public values behind public prefixes.',
+    'secrets.secrets-in-logs':
+        'Remove sensitive logging, mask secrets, and log only explicit non-sensitive fields.',
     'git.gitignore-missing':
         'Add a project-appropriate .gitignore for dependencies, local env files, build output, logs, databases, OS files, and coverage artifacts.',
     'git.gitignore-incomplete':
@@ -73,6 +95,8 @@ const FIX_PROMPT_ACTIONS = {
         'Install and apply Helmet or equivalent security headers early in the Express middleware stack.',
     'node.cors-wildcard':
         'Restrict CORS origins to trusted application origins and avoid wildcard or credentials-unsafe configurations.',
+    'node.child-process-user-input':
+        'Avoid shell execution with user input. Use spawn with fixed command and argument arrays, validate against allowlists, and never concatenate shell strings.',
     'web.client-side-auth-only':
         'Move authorization enforcement to server-side API or route handlers and keep frontend checks as UI-only hints.',
     'web.dangerous-inner-html':
@@ -82,15 +106,51 @@ const FIX_PROMPT_ACTIONS = {
         'Add explicit authentication and authorization to the route, or document why the route is intentionally public.',
     'api.idor-risk':
         'Scope object access by authenticated user, owner, tenant, account, or organization in addition to object id.',
+    'auth.jwt-secret-weak-or-fallback':
+        'Require a strong JWT secret from the environment in production and fail startup if it is missing.',
+    'auth.password-hashing-missing':
+        'Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.',
+    'auth.missing-csrf-protection':
+        'Use SameSite cookies, CSRF tokens or another explicit CSRF mitigation for state-changing routes.',
+    'api.missing-method-guard':
+        'Restrict API routes to the intended HTTP methods and return 405 Method Not Allowed for unsupported methods.',
+    'api.mass-assignment-risk':
+        'Whitelist allowed fields explicitly. Never pass req.body directly into database create/update calls.',
+    'api.no-schema-validation':
+        'Validate request body, query and params with a schema library such as Zod, Joi, Valibot, AJV or equivalent.',
     'database.raw-sql-interpolation':
         'Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder.',
     'database.no-migrations': 'Add versioned database migrations that match the detected ORM or database stack.',
+    'cookies.insecure-session-cookie':
+        'Set httpOnly, secure and sameSite for session cookies. Use secure: true in production.',
+    'uploads.public-executable-upload':
+        'Store uploads outside the public web root, validate MIME type and extension, enforce file size limits, and serve files through controlled routes.',
+    'webhooks.missing-raw-body':
+        'Use a raw body parser for signed webhook routes and register it before JSON parsing middleware.',
+    'llm.prompt-injection-risk':
+        'Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.',
+    'frontend.sourcemaps-production':
+        'Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.',
+    'frontend.localstorage-token':
+        'Prefer secure, httpOnly cookies for session tokens where appropriate. If browser storage is unavoidable, minimize token lifetime and harden XSS protections.',
+    'files.path-traversal-risk':
+        'Normalize and validate paths, use allowlists, reject traversal sequences, and ensure resolved paths stay inside an intended base directory.',
+    'ssrf.user-controlled-fetch':
+        'Use strict URL allowlists, block private/internal IP ranges including 127.0.0.1, localhost, 169.254.169.254 and RFC1918 ranges, and avoid fetching arbitrary user-provided URLs.',
+    'next.public-server-code-risk':
+        'Move database, filesystem, secret and server-only logic into Server Components, API routes or server actions. Keep Client Components free of backend dependencies.',
+    'config.debug-production':
+        'Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.',
     'electron.node-integration-enabled':
         'Set nodeIntegration to false and expose only narrowly scoped APIs through preload.',
     'electron.context-isolation-disabled':
         'Enable contextIsolation and review preload boundaries for renderer-to-main communication.',
+    'electron.remote-content-with-node':
+        'Avoid loading remote content with Node.js integration. Use nodeIntegration: false, contextIsolation: true, sandbox: true, webSecurity: true and a minimal preload bridge.',
     'tauri.dangerous-allowlist-or-capabilities':
         'Tighten Tauri allowlists, capabilities, scopes, shell access, filesystem access, remote URLs, and CSP.',
+    'tauri.remote-url-permissions-risk':
+        'Use least-privilege capabilities, restrict shell/fs/http permissions, avoid broad wildcards, and configure a strict CSP.',
 };
 
 export function getConsoleFindingTitle(finding) {