itworksbut 0.4.0 → 0.5.0

package/README.md

@@ -197,7 +197,7 @@ Secret-like findings never print the full secret value. Findings report the file
 
 ## What It Detects
 
-The baseline includes 40 modular checks:
+The baseline includes 50 modular checks:
 
 - `git.gitignore-missing`
 - `git.gitignore-incomplete`
@@ -228,6 +228,10 @@ The baseline includes 40 modular checks:
 - `api.idor-risk`
 - `auth.jwt-secret-weak-or-fallback`
 - `auth.password-hashing-missing`
+- `auth.missing-csrf-protection`
+- `api.missing-method-guard`
+- `api.mass-assignment-risk`
+- `api.no-schema-validation`
 - `database.raw-sql-interpolation`
 - `database.no-migrations`
 - `cookies.insecure-session-cookie`
@@ -235,10 +239,16 @@ The baseline includes 40 modular checks:
 - `webhooks.missing-raw-body`
 - `llm.prompt-injection-risk`
 - `frontend.sourcemaps-production`
+- `frontend.localstorage-token`
+- `files.path-traversal-risk`
+- `ssrf.user-controlled-fetch`
+- `next.public-server-code-risk`
 - `config.debug-production`
 - `electron.node-integration-enabled`
 - `electron.context-isolation-disabled`
+- `electron.remote-content-with-node`
 - `tauri.dangerous-allowlist-or-capabilities`
+- `tauri.remote-url-permissions-risk`
 
 Each check is a plain ESM module with an `id`, metadata, and async `run(context)` function. Add new checks under `src/checks/` and register them in `src/checks/index.js`.
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "itworksbut",
-    "version": "0.4.0",
+    "version": "0.5.0",
     "description": "Static CI checks for common security, repo, dependency, build, and deployment risks in JavaScript vibe coding projects.",
     "type": "module",
     "bin": {

package/src/checks/api/mass-assignment-risk.js

@@ -0,0 +1,81 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset, readNearby } from "../helpers.js";
+
+const MASS_ASSIGNMENT_PATTERNS = [
+  {
+    regex: /\b(?:prisma\.\w+\.)?(?:create|update|upsert)\s*\(\s*{[\s\S]{0,600}?\bdata\s*:\s*(?:req\.body|body|input)\b/g,
+    label: "direct data object",
+    severity: "high"
+  },
+  {
+    regex: /\b(?:db|database|collection|\w+)\.(?:update|updateOne|updateMany|findOneAndUpdate)\s*\([\s\S]{0,300}?(?:req\.body|body|input)\b/g,
+    label: "direct update payload",
+    severity: "high"
+  },
+  {
+    regex: /\b(?:User|Account|Profile|Model|model|\w+)\.(?:create|update)\s*\(\s*(?:req\.body|body|input)\b/g,
+    label: "model create/update payload",
+    severity: "high"
+  },
+  {
+    regex: /\$set\s*:\s*(?:req\.body|body|input)\b/g,
+    label: "mongodb set payload",
+    severity: "high"
+  },
+  {
+    regex: /Object\.assign\s*\(\s*(?:user|entity|account|profile|record|model)[\w$]*\s*,\s*(?:req\.body|body|input)\b/g,
+    label: "object assign from request input",
+    severity: "medium"
+  },
+  {
+    regex: /\{\s*\.\.\.(?:req\.body|body)\s*}/g,
+    label: "spread request body",
+    severity: "medium",
+    requiresCreateOrUpdateContext: true
+  }
+];
+
+const SAFE_FIELD_RE =
+  /\b(?:pick|omit|allowedFields|allowlist|whitelist|safeData|validatedData|schema\.parse|schema\.safeParse|safeParse|zod|Joi|joi|yup|valibot)\b/i;
+const RISKY_FIELD_RE =
+  /\b(?:role|isAdmin|admin|plan|verified|emailVerified|ownerId|userId|tenantId|accountId|permissions|credits|balance|price|status)\b/i;
+const CREATE_OR_UPDATE_RE = /\b(?:create|update|upsert|insert|save|data\s*:|\$set)\b/i;
+
+export default {
+  id: "api.mass-assignment-risk",
+  title: "Create and update operations should not trust raw request bodies",
+  category: "api",
+  severity: "high",
+  tags: ["api", "database", "mass-assignment", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\b(?:req\.body|body|input|Object\.assign|\$set)\b/.test(content)) continue;
+
+      for (const pattern of MASS_ASSIGNMENT_PATTERNS) {
+        pattern.regex.lastIndex = 0;
+        let match;
+        while ((match = pattern.regex.exec(content)) !== null) {
+          const line = lineFromOffset(content, match.index);
+          const nearby = await readNearby(context, file, line, 8);
+          if (pattern.requiresCreateOrUpdateContext && !CREATE_OR_UPDATE_RE.test(nearby)) continue;
+          if (SAFE_FIELD_RE.test(nearby)) continue;
+
+          findings.push({
+            severity: RISKY_FIELD_RE.test(nearby) ? "high" : pattern.severity === "high" ? "high" : "medium",
+            message: "User-controlled input appears to be passed directly into a create or update operation.",
+            file,
+            line,
+            recommendation: "Whitelist allowed fields explicitly. Never pass req.body directly into database create/update calls.",
+            heuristic: true,
+            metadata: { pattern: pattern.label }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/api/missing-method-guard.js

@@ -0,0 +1,68 @@
+import { isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const ALL_ROUTE_RE = /\b(?:app|router|server)\.all\s*\(/g;
+const NEXT_PAGES_HANDLER_RE = /\bexport\s+default\s+(?:async\s+)?function\s+\w*\s*\(\s*(?:req|request)\s*,\s*(?:res|response)\s*\)/g;
+const NAMED_HANDLER_RE = /\bexport\s+(?:async\s+)?function\s+handler\s*\(\s*(?:req|request)\s*,\s*(?:res|response)\s*\)/g;
+const METHOD_GUARD_RE =
+  /\b(?:req|request)\.method\b|\bswitch\s*\(\s*(?:req|request)\.method\s*\)|\ballowedMethods\b|\bmethodNotAllowed\b|\breturn\s+new\s+Response\s*\([^)]*405|\bstatus\s*\(\s*405\s*\)/i;
+const METHOD_EXPORT_RE = /\bexport\s+(?:async\s+)?function\s+(?:GET|POST|PUT|PATCH|DELETE|HEAD|OPTIONS)\s*\(/;
+
+export default {
+  id: "api.missing-method-guard",
+  title: "API handlers should restrict HTTP methods",
+  category: "api",
+  severity: "medium",
+  tags: ["api", "http-methods", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (!isApiCandidate(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      ALL_ROUTE_RE.lastIndex = 0;
+      let allMatch;
+      while ((allMatch = ALL_ROUTE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, allMatch.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (/\b(?:allowedMethods|methodNotAllowed|405)\b/i.test(nearby)) continue;
+        findings.push(methodFinding(file, line, "app-router-all"));
+      }
+
+      if (METHOD_EXPORT_RE.test(content) || METHOD_GUARD_RE.test(content)) continue;
+
+      for (const pattern of [NEXT_PAGES_HANDLER_RE, NAMED_HANDLER_RE]) {
+        pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          findings.push(methodFinding(file, lineFromOffset(content, match.index), "handler-without-method-guard"));
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isApiCandidate(file) {
+  return (
+    /\.[cm]?[jt]sx?$/.test(file) &&
+    (isServerOrApiFile(file) ||
+      file.startsWith("routes/") ||
+      file.startsWith("api/") ||
+      file.includes("/controllers/") ||
+      file.includes("/handlers/"))
+  );
+}
+
+function methodFinding(file, line, pattern) {
+  return {
+    message: "This API handler appears to process requests without an explicit HTTP method guard.",
+    file,
+    line,
+    recommendation: "Restrict API routes to the intended HTTP methods and return 405 Method Not Allowed for unsupported methods.",
+    heuristic: true,
+    metadata: { pattern }
+  };
+}

package/src/checks/api/no-schema-validation.js

@@ -0,0 +1,68 @@
+import { isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const REQUEST_INPUT_RE =
+  /\breq\.(?:body|query|params)\b|\brequest\.json\s*\(|\bsearchParams\.get\s*\(|\bnew\s+URL\s*\(\s*(?:req|request)\.url\s*\)\.searchParams\b|\bformData\s*\(|\bctx\.request\.body\b/g;
+const VALIDATION_RE =
+  /\b(?:zod|Joi|joi|yup|valibot|ajv|superstruct|TypeBox|validator|validatedData)\b|\.safeParse\s*\(|\.parse\s*\(\s*(?:req\.body|body|input|payload|data)|\.validate\s*\(\s*(?:req\.body|body|input|payload|data)|\bschema\.(?:validate|parse|safeParse)\b/i;
+const GLOBAL_VALIDATION_RE = /\b(?:app|router|server)\.use\s*\([^)]*(?:validate|validator|schema|zod|joi|yup|ajv|valibot)/i;
+
+export default {
+  id: "api.no-schema-validation",
+  title: "API request input should be schema validated",
+  category: "api",
+  severity: "high",
+  tags: ["api", "validation", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+    const globalValidationSeen = await hasGlobalValidationMiddleware(context);
+    if (globalValidationSeen) return [];
+
+    for (const file of context.textFiles) {
+      if (!isApiFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+      if (VALIDATION_RE.test(content)) continue;
+
+      REQUEST_INPUT_RE.lastIndex = 0;
+      const match = REQUEST_INPUT_RE.exec(content);
+      if (!match) continue;
+
+      const line = lineFromOffset(content, match.index);
+      const nearby = await readNearby(context, file, line, 10);
+      if (VALIDATION_RE.test(nearby)) continue;
+
+      findings.push({
+        message: "This API route appears to consume request input without an obvious schema validation step.",
+        file,
+        line,
+        recommendation: "Validate request body, query and params with a schema library such as Zod, Joi, Valibot, AJV or equivalent.",
+        heuristic: true,
+        metadata: { pattern: "request-input-without-schema-validation" }
+      });
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isApiFile(file) {
+  return (
+    /\.[cm]?[jt]sx?$/.test(file) &&
+    (isServerOrApiFile(file) ||
+      file.startsWith("api/") ||
+      file.startsWith("routes/") ||
+      file.startsWith("handlers/") ||
+      file.startsWith("controllers/") ||
+      file.includes("/handlers/") ||
+      file.includes("/controllers/"))
+  );
+}
+
+async function hasGlobalValidationMiddleware(context) {
+  for (const file of context.textFiles) {
+    if (!/\.[cm]?[jt]sx?$/.test(file) || !isServerOrApiFile(file)) continue;
+    const content = await context.readFileSafe(file);
+    if (content && GLOBAL_VALIDATION_RE.test(content)) return true;
+  }
+  return false;
+}

package/src/checks/auth/missing-csrf-protection.js

@@ -0,0 +1,75 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const COOKIE_AUTH_RE =
+  /\b(?:res\.cookie|cookies\(\)\.set|response\.cookies\.set|setCookie|serialize)\s*\(\s*["'`](?:session|token|auth|jwt)["'`]|cookieSession\s*\(|express-session|\bsession\s*\(|credentials\s*:\s*["'`]include["'`]|withCredentials\s*:\s*true/gi;
+const CSRF_PROTECTION_RE =
+  /\b(?:csrf|csurf|csrfToken|anti-csrf|verifyCsrf|validateCsrf|csrfProtection)\b|double\s+submit|\bsameSite\s*:\s*["'`]?(?:strict|lax)["'`]?\b/gi;
+const STATE_CHANGING_ROUTE_RE =
+  /\b(?:app|router|server)\.(?:post|put|patch|delete)\s*\(|\bmethod\s*:\s*["'`](?:POST|PUT|PATCH|DELETE)["'`]|\breq\.method\s*={0,3}\s*["'`](?:POST|PUT|PATCH|DELETE)["'`]|\bexport\s+async\s+function\s+(?:POST|PUT|PATCH|DELETE)\s*\(/g;
+
+export default {
+  id: "auth.missing-csrf-protection",
+  title: "Cookie-based authentication should include CSRF protection",
+  category: "auth",
+  severity: "high",
+  tags: ["auth", "csrf", "cookies", "heuristic"],
+  run: async (context) => {
+    const cookieMatches = [];
+    const stateChangingRoutes = [];
+    let csrfProtectionSeen = false;
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      CSRF_PROTECTION_RE.lastIndex = 0;
+      if (CSRF_PROTECTION_RE.test(content)) {
+        csrfProtectionSeen = true;
+        break;
+      }
+
+      COOKIE_AUTH_RE.lastIndex = 0;
+      let cookieMatch;
+      while ((cookieMatch = COOKIE_AUTH_RE.exec(content)) !== null) {
+        cookieMatches.push({
+          file,
+          line: lineFromOffset(content, cookieMatch.index),
+          pattern: normalizePattern(cookieMatch[0])
+        });
+        if (cookieMatches.length >= 25) break;
+      }
+
+      STATE_CHANGING_ROUTE_RE.lastIndex = 0;
+      let routeMatch;
+      while ((routeMatch = STATE_CHANGING_ROUTE_RE.exec(content)) !== null) {
+        stateChangingRoutes.push({
+          file,
+          line: lineFromOffset(content, routeMatch.index),
+          pattern: normalizePattern(routeMatch[0])
+        });
+        if (stateChangingRoutes.length >= 25) break;
+      }
+    }
+
+    if (csrfProtectionSeen || cookieMatches.length === 0 || stateChangingRoutes.length === 0) return [];
+
+    const primaryCookie = cookieMatches[0];
+    return stateChangingRoutes.slice(0, 25).map((route) => ({
+      message: "Cookie-based authentication appears to be used without an obvious CSRF protection mechanism.",
+      file: route.file,
+      line: route.line,
+      recommendation: "Use SameSite cookies, CSRF tokens or another explicit CSRF mitigation for state-changing routes.",
+      heuristic: true,
+      metadata: {
+        pattern: "cookie-auth-with-state-changing-route",
+        cookieFile: primaryCookie.file,
+        cookieLine: primaryCookie.line
+      }
+    }));
+  }
+};
+
+function normalizePattern(value) {
+  return String(value || "").replace(/\s+/g, " ").slice(0, 80);
+}

package/src/checks/electron/remote-content-with-node.js

@@ -0,0 +1,52 @@
+import { hasText, lineFromOffset, readNearby } from "../helpers.js";
+
+const LOAD_REMOTE_RE =
+  /\b(?:mainWindow|win|window|BrowserWindow|\w+)\.loadURL\s*\(\s*(?:["'`]https?:\/\/[^"'`]+["'`]|remoteUrl|process\.env\.\w+|config\.url)\s*\)/g;
+const RISKY_WEB_PREFERENCES_RE =
+  /\b(?:nodeIntegration\s*:\s*true|contextIsolation\s*:\s*false|webSecurity\s*:\s*false|allowRunningInsecureContent\s*:\s*true|experimentalFeatures\s*:\s*true|enableRemoteModule\s*:\s*true|sandbox\s*:\s*false)\b/i;
+
+export default {
+  id: "electron.remote-content-with-node",
+  title: "Electron remote content should not run with privileged renderer settings",
+  category: "electron",
+  severity: "critical",
+  tags: ["electron", "desktop", "xss", "heuristic"],
+  run: async (context) => {
+    if (!(await isElectronProject(context))) return [];
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (!/\.[cm]?[jt]s$/.test(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/loadURL\s*\(/.test(content) || !RISKY_WEB_PREFERENCES_RE.test(content)) continue;
+
+      LOAD_REMOTE_RE.lastIndex = 0;
+      let match;
+      while ((match = LOAD_REMOTE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 20);
+        if (!RISKY_WEB_PREFERENCES_RE.test(nearby) && !RISKY_WEB_PREFERENCES_RE.test(content)) continue;
+
+        findings.push({
+          message: "Electron appears to load remote content while enabling risky renderer privileges.",
+          file,
+          line,
+          recommendation:
+            "Avoid loading remote content with Node.js integration. Use nodeIntegration: false, contextIsolation: true, sandbox: true, webSecurity: true and a minimal preload bridge.",
+          heuristic: true,
+          metadata: { pattern: "remote-load-url-with-risky-web-preferences" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+async function isElectronProject(context) {
+  return (
+    context.hasDependency("electron") ||
+    context.hasDevDependency("electron") ||
+    (await hasText(context, /\b(?:from\s+["'`]electron["'`]|require\s*\(\s*["'`]electron["'`]\s*\)|BrowserWindow)\b/g))
+  );
+}

package/src/checks/files/path-traversal-risk.js

@@ -0,0 +1,62 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const FILE_PATH_SINK_RE =
+  /\b(?:fs\.(?:readFile|readFileSync|writeFile|writeFileSync|createReadStream|createWriteStream)|res\.sendFile|reply\.sendFile|path\.(?:join|resolve)|Bun\.file|Deno\.readTextFile)\s*\(/g;
+const REQUEST_PATH_SOURCE_RE =
+  /\breq\.(?:query|params|body)\.(?:file|path|filename|filepath|filePath)\b|\brequest\.query\b|\bsearchParams\.get\s*\(\s*["'`](?:file|path)["'`]\s*\)|\bformData\.get\s*\(\s*["'`](?:file|path)["'`]\s*\)/i;
+const GENERIC_PATH_SOURCE_RE = /\b(?:userInput|filename|filepath|filePath|pathParam)\b/i;
+const PATH_MITIGATION_RE =
+  /\b(?:path\.basename|allowlist|allowedPaths|sanitizeFilename|safeJoin|validatePath|rejectPathSeparators)\b|(?:\bnormalize\b[\s\S]{0,160}\bstartsWith\s*\()|(?:\bstartsWith\s*\([\s\S]{0,160}\bbaseDir\b)|(?:\.\.["'`][\s\S]{0,120}(?:includes|reject|throw|return))/i;
+
+export default {
+  id: "files.path-traversal-risk",
+  title: "File path operations should not trust request input",
+  category: "files",
+  severity: "critical",
+  tags: ["files", "path-traversal", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\b(?:fs\.|sendFile|path\.|Bun\.file|Deno\.readTextFile)\b/.test(content)) continue;
+
+      FILE_PATH_SINK_RE.lastIndex = 0;
+      let match;
+      while ((match = FILE_PATH_SINK_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (!hasRiskyPathSource(file, nearby)) continue;
+        if (PATH_MITIGATION_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to be used in a file path operation.",
+          file,
+          line,
+          recommendation:
+            "Normalize and validate paths, use allowlists, reject traversal sequences, and ensure resolved paths stay inside an intended base directory.",
+          heuristic: true,
+          metadata: { pattern: "user-input-file-path" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function hasRiskyPathSource(file, nearby) {
+  if (REQUEST_PATH_SOURCE_RE.test(nearby)) return true;
+  if (!GENERIC_PATH_SOURCE_RE.test(nearby)) return false;
+  return (
+    isServerOrApiFile(file) ||
+    file.startsWith("server/") ||
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/server/") ||
+    file.includes("/routes/") ||
+    file.includes("/controllers/") ||
+    file.includes("/handlers/")
+  );
+}

package/src/checks/frontend/localstorage-token.js

@@ -0,0 +1,42 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const STORAGE_TOKEN_RE =
+  /\b(?:window\.)?(localStorage|sessionStorage)\.setItem\s*\(\s*["'`]([^"'`]*(?:token|jwt|access|refresh|auth|bearer|session)[^"'`]*)["'`]/gi;
+
+export default {
+  id: "frontend.localstorage-token",
+  title: "Authentication tokens should not live in browser storage by default",
+  category: "frontend",
+  severity: "high",
+  tags: ["frontend", "auth", "xss", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/(?:localStorage|sessionStorage)\.setItem/.test(content)) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        STORAGE_TOKEN_RE.lastIndex = 0;
+        let match;
+        while ((match = STORAGE_TOKEN_RE.exec(lines[index])) !== null) {
+          findings.push({
+            message: "Authentication tokens appear to be stored in localStorage or sessionStorage.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Prefer secure, httpOnly cookies for session tokens where appropriate. If browser storage is unavoidable, minimize token lifetime and harden XSS protections.",
+            heuristic: true,
+            metadata: {
+              pattern: `${match[1]}.setItem(auth-token-key)`
+            }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/index.js

@@ -27,6 +27,10 @@ import missingAuthOnRoutes from "./auth/missing-auth-on-routes.js";
 import idorRisk from "./auth/idor-risk.js";
 import jwtSecretWeakOrFallback from "./auth/jwt-secret-weak-or-fallback.js";
 import passwordHashingMissing from "./auth/password-hashing-missing.js";
+import missingCsrfProtection from "./auth/missing-csrf-protection.js";
+import missingMethodGuard from "./api/missing-method-guard.js";
+import massAssignmentRisk from "./api/mass-assignment-risk.js";
+import noSchemaValidation from "./api/no-schema-validation.js";
 import rawSqlInterpolation from "./database/raw-sql-interpolation.js";
 import noMigrations from "./database/no-migrations.js";
 import insecureSessionCookie from "./cookies/insecure-session-cookie.js";
@@ -34,10 +38,16 @@ import publicExecutableUpload from "./uploads/public-executable-upload.js";
 import missingRawBody from "./webhooks/missing-raw-body.js";
 import promptInjectionRisk from "./llm/prompt-injection-risk.js";
 import sourceMapsProduction from "./frontend/sourcemaps-production.js";
+import localstorageToken from "./frontend/localstorage-token.js";
+import pathTraversalRisk from "./files/path-traversal-risk.js";
+import userControlledFetch from "./ssrf/user-controlled-fetch.js";
+import nextPublicServerCodeRisk from "./next/public-server-code-risk.js";
 import debugProduction from "./config/debug-production.js";
 import electronNodeIntegrationEnabled from "./electron/node-integration-enabled.js";
 import electronContextIsolationDisabled from "./electron/context-isolation-disabled.js";
+import electronRemoteContentWithNode from "./electron/remote-content-with-node.js";
 import tauriDangerousAllowlistOrCapabilities from "./tauri/dangerous-allowlist-or-capabilities.js";
+import tauriRemoteUrlPermissionsRisk from "./tauri/remote-url-permissions-risk.js";
 
 export default [
   gitignoreMissing,
@@ -69,6 +79,10 @@ export default [
   idorRisk,
   jwtSecretWeakOrFallback,
   passwordHashingMissing,
+  missingCsrfProtection,
+  missingMethodGuard,
+  massAssignmentRisk,
+  noSchemaValidation,
   rawSqlInterpolation,
   noMigrations,
   insecureSessionCookie,
@@ -76,8 +90,14 @@ export default [
   missingRawBody,
   promptInjectionRisk,
   sourceMapsProduction,
+  localstorageToken,
+  pathTraversalRisk,
+  userControlledFetch,
+  nextPublicServerCodeRisk,
   debugProduction,
   electronNodeIntegrationEnabled,
   electronContextIsolationDisabled,
-  tauriDangerousAllowlistOrCapabilities
+  electronRemoteContentWithNode,
+  tauriDangerousAllowlistOrCapabilities,
+  tauriRemoteUrlPermissionsRisk
 ];

package/src/checks/next/public-server-code-risk.js

@@ -0,0 +1,64 @@
+import { hasText, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const CLIENT_DIRECTIVE_RE = /^\s*["'`]use client["'`]\s*;?/m;
+const RISKY_CLIENT_CODE_RE =
+  /\bfrom\s+["'`](?:node:)?(?:fs|path|child_process|crypto)["'`]|\brequire\s*\(\s*["'`](?:node:)?(?:fs|path|child_process|crypto)["'`]\s*\)|\bfrom\s+["'`](?:@prisma\/client|server-only|@\/lib\/(?:db|prisma)|(?:\.\.\/)+lib\/(?:db|prisma))["'`]|\brequire\s*\(\s*["'`](?:@prisma\/client|server-only|@\/lib\/(?:db|prisma)|(?:\.\.\/)+lib\/(?:db|prisma))["'`]\s*\)|\bprisma\b|\bprocess\.env\.(?:DATABASE_URL|JWT_SECRET|STRIPE_SECRET_KEY|OPENAI_API_KEY)\b/g;
+
+export default {
+  id: "next.public-server-code-risk",
+  title: "Next.js Client Components should not import server-only code",
+  category: "next",
+  severity: "high",
+  tags: ["next", "frontend", "server-only", "heuristic"],
+  run: async (context) => {
+    if (!(await isNextProject(context))) return [];
+
+    const findings = [];
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isNextClientCandidate(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !CLIENT_DIRECTIVE_RE.test(content)) continue;
+
+      RISKY_CLIENT_CODE_RE.lastIndex = 0;
+      let match;
+      while ((match = RISKY_CLIENT_CODE_RE.exec(content)) !== null) {
+        findings.push({
+          message: "A Next.js Client Component appears to import server-side code or access server-only configuration.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Move database, filesystem, secret and server-only logic into Server Components, API routes or server actions. Keep Client Components free of backend dependencies.",
+          heuristic: true,
+          metadata: { pattern: classifyRisk(match[0]) }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+async function isNextProject(context) {
+  return (
+    context.hasDependency("next") ||
+    context.hasDevDependency("next") ||
+    context.allFiles.some((file) => /^next\.config\.[cm]?[jt]s$/.test(file)) ||
+    context.allFiles.some((file) => file.startsWith("app/")) ||
+    (await hasText(context, /\bfrom\s+["'`]next\//g, { files: context.textFiles.filter((file) => /\.[cm]?[jt]sx?$/.test(file)) }))
+  );
+}
+
+function isNextClientCandidate(file) {
+  return (
+    /\.(?:js|jsx|ts|tsx)$/.test(file) &&
+    (file.startsWith("app/") || file.startsWith("components/") || file.includes("/components/"))
+  );
+}
+
+function classifyRisk(value) {
+  if (/process\.env/.test(value)) return "server-secret-env-access";
+  if (/prisma|db/.test(value)) return "database-import";
+  if (/child_process/.test(value)) return "child-process-import";
+  if (/server-only/.test(value)) return "server-only-import";
+  return "node-server-import";
+}

package/src/checks/ssrf/user-controlled-fetch.js

@@ -0,0 +1,60 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, isFrontendFile, isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const HTTP_REQUEST_RE =
+  /\b(?:fetch|got|request|ky)\s*\(|\baxios\.(?:get|post|put|patch|delete|request)\s*\(|\baxios\s*\(\s*{|\bundici\.request\s*\(|\bhttps?\.get\s*\(/g;
+const USER_URL_SOURCE_RE =
+  /\breq\.(?:body|query|params)\.url\b|\bsearchParams\.get\s*\(\s*["'`]url["'`]\s*\)|\bformData\.get\s*\(\s*["'`]url["'`]\s*\)|\b(?:requestUrl|userUrl|targetUrl|webhookUrl|callbackUrl|imageUrl|avatarUrl)\b/i;
+const URL_ALLOWLIST_RE =
+  /\b(?:allowlist|allowedHosts|allowedDomains|hostname\s*(?:===|!==|==|!=)|private\s+IP|localhost\s+block|metadata\s+IP|validateUrl|isAllowedUrl|isPrivateIp|blockPrivate|blockLocalhost)\b|169\.254\.169\.254|127\.0\.0\.1|localhost/i;
+
+export default {
+  id: "ssrf.user-controlled-fetch",
+  title: "Server-side HTTP requests should not trust user-controlled URLs",
+  category: "ssrf",
+  severity: "critical",
+  tags: ["ssrf", "api", "network", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file) || isFrontendFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !isLikelyServerSide(file, content) || !/\b(?:fetch|axios|got|request|undici|http|https|ky)\b/.test(content)) continue;
+
+      HTTP_REQUEST_RE.lastIndex = 0;
+      let match;
+      while ((match = HTTP_REQUEST_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (!USER_URL_SOURCE_RE.test(nearby)) continue;
+        if (URL_ALLOWLIST_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to flow into a server-side HTTP request.",
+          file,
+          line,
+          recommendation:
+            "Use strict URL allowlists, block private/internal IP ranges including 127.0.0.1, localhost, 169.254.169.254 and RFC1918 ranges, and avoid fetching arbitrary user-provided URLs.",
+          heuristic: true,
+          metadata: { pattern: "user-controlled-server-fetch" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isLikelyServerSide(file, content) {
+  return (
+    isServerOrApiFile(file) ||
+    /^server\.[cm]?[jt]s$/.test(file) ||
+    file.startsWith("server/") ||
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/server/") ||
+    file.includes("/routes/") ||
+    file.includes("/controllers/") ||
+    /\b(?:req\.body|req\.query|req\.params|request\.json|ctx\.request|express|fastify|hono)\b/.test(content)
+  );
+}

package/src/checks/tauri/remote-url-permissions-risk.js

@@ -0,0 +1,115 @@
+import { lineFromOffset, parseJsonWithComments } from "../helpers.js";
+
+const CONFIG_FILES = ["src-tauri/tauri.conf.json", "src-tauri/tauri.conf.json5", "src-tauri/Tauri.toml"];
+const WEAK_CSP_RE =
+  /"csp"\s*:\s*(?:null|false|""|"[^"]*(?:\*|unsafe-inline|unsafe-eval)[^"]*")|csp\s*=\s*(?:false|""|"[^"]*(?:\*|unsafe-inline|unsafe-eval)[^"]*")/gi;
+const DANGEROUS_ASSET_CSP_RE = /"dangerousDisableAssetCspModification"\s*:\s*true|dangerousDisableAssetCspModification\s*=\s*true/gi;
+const BROAD_ALLOWLIST_RE = /"allowlist"\s*:\s*{[\s\S]{0,400}?"all"\s*:\s*true|"all"\s*:\s*true[\s\S]{0,120}?"(?:shell|fs|http)"/gi;
+const BROAD_PERMISSION_RE =
+  /"permissions"\s*:\s*\[[\s\S]{0,240}?["'`]\*["'`]|["'`](?:shell|fs|http):(?:\*|allow-\*|allow-all|allow-execute|allow-fetch)["'`]|["'`]fs:allow-[^"'`]*["'`][\s\S]{0,160}(?:\*\*|["'`]\*["'`]|\/)|["'`]http:allow-fetch["'`][\s\S]{0,220}(?:["'`]\*["'`]|https?:\/\/\*)/gi;
+const REMOTE_URL_RE = /"(?:devUrl|frontendDist|url)"\s*:\s*"https?:\/\/(?!localhost\b|127\.0\.0\.1\b|0\.0\.0\.0\b)[^"]+"|(?:devUrl|frontendDist|url)\s*=\s*"https?:\/\/(?!localhost\b|127\.0\.0\.1\b|0\.0\.0\.0\b)[^"]+"/gi;
+
+export default {
+  id: "tauri.remote-url-permissions-risk",
+  title: "Tauri remote URLs and permissions should be least privilege",
+  category: "tauri",
+  severity: "high",
+  tags: ["tauri", "desktop", "permissions", "heuristic"],
+  run: async (context) => {
+    if (!isTauriProject(context)) return [];
+    const findings = [];
+
+    for (const file of collectTauriFiles(context)) {
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      if (file.endsWith(".json") || file.endsWith(".json5")) {
+        inspectParsedJson(content, file, findings);
+      }
+
+      inspectRegexPattern(content, file, findings, WEAK_CSP_RE, "weak-csp");
+      inspectRegexPattern(content, file, findings, DANGEROUS_ASSET_CSP_RE, "dangerous-asset-csp");
+      inspectRegexPattern(content, file, findings, BROAD_ALLOWLIST_RE, "broad-allowlist");
+      inspectRegexPattern(content, file, findings, BROAD_PERMISSION_RE, "broad-permission");
+      inspectRegexPattern(content, file, findings, REMOTE_URL_RE, "remote-url");
+    }
+
+    return dedupe(findings).slice(0, 100);
+  }
+};
+
+function isTauriProject(context) {
+  return (
+    context.allFiles.some((file) => file.startsWith("src-tauri/")) ||
+    context.hasDependency("@tauri-apps/api") ||
+    context.hasDevDependency("@tauri-apps/cli") ||
+    context.hasDependency("@tauri-apps/cli")
+  );
+}
+
+function collectTauriFiles(context) {
+  return context.textFiles.filter((file) => {
+    return (
+      CONFIG_FILES.includes(file) ||
+      /^src-tauri\/capabilities\/[^/]+\.json$/i.test(file) ||
+      /^src-tauri\/permissions\/[^/]+\.json$/i.test(file)
+    );
+  });
+}
+
+function inspectParsedJson(content, file, findings) {
+  let parsed;
+  try {
+    parsed = parseJsonWithComments(content);
+  } catch {
+    return;
+  }
+
+  const security = parsed?.app?.security || parsed?.tauri?.security || {};
+  if (security.csp === null || security.csp === false || security.csp === "") {
+    findings.push(finding(file, lineOfKey(content, "csp"), "weak-csp"));
+  }
+  if (security.dangerousDisableAssetCspModification === true) {
+    findings.push(finding(file, lineOfKey(content, "dangerousDisableAssetCspModification"), "dangerous-asset-csp"));
+  }
+
+  const permissions = JSON.stringify(parsed?.permissions || parsed?.app?.permissions || parsed?.tauri?.allowlist || []);
+  if (/"\*"|"all":true|shell:allow-execute|fs:allow-|http:allow-fetch/.test(permissions)) {
+    findings.push(finding(file, undefined, "broad-permission"));
+  }
+}
+
+function inspectRegexPattern(content, file, findings, regex, pattern) {
+  regex.lastIndex = 0;
+  let match;
+  while ((match = regex.exec(content)) !== null) {
+    findings.push(finding(file, lineFromOffset(content, match.index), pattern));
+  }
+}
+
+function finding(file, line, pattern) {
+  return {
+    message: "Tauri configuration appears to allow broad permissions, remote URLs or weak CSP settings.",
+    file,
+    line,
+    recommendation:
+      "Use least-privilege capabilities, restrict shell/fs/http permissions, avoid broad wildcards, and configure a strict CSP.",
+    heuristic: true,
+    metadata: { pattern }
+  };
+}
+
+function lineOfKey(content, key) {
+  const index = content.indexOf(`"${key}"`);
+  return index >= 0 ? lineFromOffset(content, index) : undefined;
+}
+
+function dedupe(findings) {
+  const seen = new Set();
+  return findings.filter((item) => {
+    const key = `${item.file}:${item.line || 0}:${item.metadata?.pattern || ""}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/src/cli/output.js

@@ -1,11 +1,10 @@
 import gradient from 'gradient-string';
 
 export function printUsage() {
-  process.stdout.write(`ItWorksBut
+    process.stdout.write(`ItWorksBut
 
 Usage:
   itworksbut scan [options]
-  node ./bin/itworksbut.js scan [options]
 
 Options:
   --path <path>       Project path to scan. Defaults to current directory.
@@ -25,14 +24,14 @@ Options:
 }
 
 export function printVersion(version) {
-  try {
-    process.stdout.write(`${gradient.rainbow(version)}\n`);
-  } catch {
-    process.stdout.write(`${version}\n`);
-  }
+    try {
+        process.stdout.write(`${gradient.rainbow(version)}\n`);
+    } catch {
+        process.stdout.write(`${version}\n`);
+    }
 }
 
 export function printRuntimeError(error) {
-  const message = error instanceof Error ? error.message : String(error);
-  process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`ItWorksBut runtime error: ${message}\n`);
 }

package/src/reporters/consoleStyle.js

@@ -26,6 +26,10 @@ const EDGY_TITLES = {
     'api.idor-risk': 'It works, but this ID lookup may belong to someone else.',
     'auth.jwt-secret-weak-or-fallback': 'It works, but your JWT secret has a fallback key.',
     'auth.password-hashing-missing': 'It works, but your passwords may be stored too honestly.',
+    'auth.missing-csrf-protection': 'It works, but your browser may be submitting forms behind your back.',
+    'api.missing-method-guard': 'It works, but your API does not care how it gets called.',
+    'api.mass-assignment-risk': 'It works, but your users may be editing fields they should never touch.',
+    'api.no-schema-validation': 'It works, but your API believes whatever the request says.',
     'database.raw-sql-interpolation': 'It works, but your SQL query is one template string away from pain.',
     'database.no-migrations': 'It works, but your database schema has no paper trail.',
     'cookies.insecure-session-cookie': 'It works, but your session cookie is dressed for localhost.',
@@ -33,10 +37,16 @@ const EDGY_TITLES = {
     'webhooks.missing-raw-body': 'It works, but your webhook signature check may be checking the wrong body.',
     'llm.prompt-injection-risk': 'It works, but your AI output has admin energy.',
     'frontend.sourcemaps-production': 'It works, but your source code may be shipping with the app.',
+    'frontend.localstorage-token': 'It works, but your auth token lives where XSS can read it.',
+    'files.path-traversal-risk': 'It works, but your file path may be taking requests too literally.',
+    'ssrf.user-controlled-fetch': 'It works, but your server is fetching whatever strangers ask for.',
+    'next.public-server-code-risk': 'It works, but your client component is carrying server baggage.',
     'config.debug-production': 'It works, but production still thinks it is a dev server.',
     'electron.node-integration-enabled': 'It works, but Electron is holding the Node.js door open.',
     'electron.context-isolation-disabled': 'It works, but your renderer and backend are sharing a room.',
+    'electron.remote-content-with-node': 'It works, but Electron is letting the internet sit next to Node.js.',
     'tauri.dangerous-allowlist-or-capabilities': 'It works, but your Tauri permissions look too generous.',
+    'tauri.remote-url-permissions-risk': 'It works, but your Tauri app is trusting too much surface area.',
 };
 
 const SEVERITY_META = {
@@ -100,6 +110,14 @@ const FIX_PROMPT_ACTIONS = {
         'Require a strong JWT secret from the environment in production and fail startup if it is missing.',
     'auth.password-hashing-missing':
         'Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.',
+    'auth.missing-csrf-protection':
+        'Use SameSite cookies, CSRF tokens or another explicit CSRF mitigation for state-changing routes.',
+    'api.missing-method-guard':
+        'Restrict API routes to the intended HTTP methods and return 405 Method Not Allowed for unsupported methods.',
+    'api.mass-assignment-risk':
+        'Whitelist allowed fields explicitly. Never pass req.body directly into database create/update calls.',
+    'api.no-schema-validation':
+        'Validate request body, query and params with a schema library such as Zod, Joi, Valibot, AJV or equivalent.',
     'database.raw-sql-interpolation':
         'Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder.',
     'database.no-migrations': 'Add versioned database migrations that match the detected ORM or database stack.',
@@ -113,14 +131,26 @@ const FIX_PROMPT_ACTIONS = {
         'Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.',
     'frontend.sourcemaps-production':
         'Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.',
+    'frontend.localstorage-token':
+        'Prefer secure, httpOnly cookies for session tokens where appropriate. If browser storage is unavoidable, minimize token lifetime and harden XSS protections.',
+    'files.path-traversal-risk':
+        'Normalize and validate paths, use allowlists, reject traversal sequences, and ensure resolved paths stay inside an intended base directory.',
+    'ssrf.user-controlled-fetch':
+        'Use strict URL allowlists, block private/internal IP ranges including 127.0.0.1, localhost, 169.254.169.254 and RFC1918 ranges, and avoid fetching arbitrary user-provided URLs.',
+    'next.public-server-code-risk':
+        'Move database, filesystem, secret and server-only logic into Server Components, API routes or server actions. Keep Client Components free of backend dependencies.',
     'config.debug-production':
         'Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.',
     'electron.node-integration-enabled':
         'Set nodeIntegration to false and expose only narrowly scoped APIs through preload.',
     'electron.context-isolation-disabled':
         'Enable contextIsolation and review preload boundaries for renderer-to-main communication.',
+    'electron.remote-content-with-node':
+        'Avoid loading remote content with Node.js integration. Use nodeIntegration: false, contextIsolation: true, sandbox: true, webSecurity: true and a minimal preload bridge.',
     'tauri.dangerous-allowlist-or-capabilities':
         'Tighten Tauri allowlists, capabilities, scopes, shell access, filesystem access, remote URLs, and CSP.',
+    'tauri.remote-url-permissions-risk':
+        'Use least-privilege capabilities, restrict shell/fs/http permissions, avoid broad wildcards, and configure a strict CSP.',
 };
 
 export function getConsoleFindingTitle(finding) {