itworksbut 0.4.0 → 0.6.0

package/src/checks/dependencies/outdated-packages.js

@@ -0,0 +1,297 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { detectOutdatedPackageManager, getOutdatedCommand } from "../../utils/packageManager.js";
+
+const execFileAsync = promisify(execFile);
+const CHECK_ID = "dependencies.outdated-packages";
+const CHECK_TITLE = "Outdated packages";
+const COMMAND_TIMEOUT_MS = 30_000;
+const COMMAND_MAX_BUFFER = 10 * 1024 * 1024;
+
+export default {
+  id: CHECK_ID,
+  title: CHECK_TITLE,
+  category: "dependencies",
+  severity: "info",
+  tags: ["dependencies", "maintenance"],
+  run: async (context) => {
+    const result = await runOutdatedPackagesCheck(context);
+    return { findings: [], result };
+  }
+};
+
+export async function runOutdatedPackagesCheck(context, options = {}) {
+  const detected = detectOutdatedPackageManager({
+    packageJson: context.packageJson,
+    files: context.allFiles
+  });
+
+  if (detected.status === "skip") {
+    return checkResult({
+      status: "skip",
+      summary: detected.summary,
+      metadata: { reason: "missing-package-json" }
+    });
+  }
+
+  const commandResult = await runOutdatedCommand(detected.manager, context.rootPath, options);
+  if (isMissingCommand(commandResult)) {
+    return checkResult({
+      status: "fail",
+      summary: `${detected.manager} is not installed or could not be found.`,
+      details: [
+        {
+          message: `${detected.manager} is not installed or could not be found.`,
+          command: renderCommand(commandResult),
+          exitCode: commandResult.exitCode
+        }
+      ],
+      metadata: { packageManager: detected.manager }
+    });
+  }
+
+  const parsed = parseOutdatedOutput(detected.manager, commandResult.stdout, context.packageJson);
+  if (!parsed.ok) {
+    if (!hasCommandFailure(commandResult) && isEmptyOutput(commandResult.stdout)) {
+      return checkResult({
+        status: "pass",
+        summary: "all dependencies are up to date",
+        details: [],
+        metadata: { packageManager: detected.manager }
+      });
+    }
+
+    return checkResult({
+      status: "fail",
+      summary: `${detected.manager} outdated returned output that could not be parsed.`,
+      details: [
+        {
+          message: parsed.error,
+          command: renderCommand(commandResult),
+          exitCode: commandResult.exitCode,
+          stderr: trimText(commandResult.stderr)
+        }
+      ],
+      metadata: { packageManager: detected.manager }
+    });
+  }
+
+  if ((hasCommandFailure(commandResult) || hasEmptyExitOneFailure(commandResult)) && parsed.packages.length === 0) {
+    return checkResult({
+      status: "fail",
+      summary: `${detected.manager} outdated failed.`,
+      details: [
+        {
+          message: trimText(commandResult.stderr) || "Command exited with code " + commandResult.exitCode + ".",
+          command: renderCommand(commandResult),
+          exitCode: commandResult.exitCode
+        }
+      ],
+      metadata: { packageManager: detected.manager }
+    });
+  }
+
+  if (parsed.packages.length === 0) {
+    return checkResult({
+      status: "pass",
+      summary: "all dependencies are up to date",
+      details: [],
+      metadata: { packageManager: detected.manager }
+    });
+  }
+
+  return checkResult({
+    status: "warn",
+    summary: `${parsed.packages.length} ${parsed.packages.length === 1 ? "package" : "packages"} outdated`,
+    details: parsed.packages,
+    metadata: { packageManager: detected.manager }
+  });
+}
+
+export async function runOutdatedCommand(manager, rootPath, options = {}) {
+  const runCommand = options.runCommand || execCommand;
+  const { command, args } = getOutdatedCommand(manager);
+  return await runCommand(command, args, { cwd: rootPath });
+}
+
+export function parseOutdatedOutput(manager, stdout, packageJson = {}) {
+  const output = String(stdout || "").trim();
+  if (!output) return { ok: true, packages: [] };
+
+  try {
+    if (manager === "yarn") {
+      return { ok: true, packages: parseYarnOutput(output, packageJson) };
+    }
+
+    const parsed = JSON.parse(output);
+    return { ok: true, packages: normalizeOutdatedData(parsed, packageJson) };
+  } catch (error) {
+    return {
+      ok: false,
+      packages: [],
+      error: error instanceof Error ? error.message : String(error)
+    };
+  }
+}
+
+export function normalizeOutdatedData(data, packageJson = {}) {
+  if (!data || typeof data !== "object") return [];
+
+  if (Array.isArray(data)) {
+    return data
+      .map((entry) => normalizePackageEntry(entry.name || entry.package, entry, packageJson))
+      .filter(Boolean);
+  }
+
+  return Object.entries(data)
+    .map(([name, entry]) => normalizePackageEntry(name, entry, packageJson))
+    .filter(Boolean);
+}
+
+async function execCommand(command, args, options) {
+  try {
+    const result = await execFileAsync(command, args, {
+      cwd: options.cwd,
+      timeout: COMMAND_TIMEOUT_MS,
+      maxBuffer: COMMAND_MAX_BUFFER
+    });
+    return {
+      command,
+      args,
+      stdout: result.stdout || "",
+      stderr: result.stderr || "",
+      exitCode: 0
+    };
+  } catch (error) {
+    return {
+      command,
+      args,
+      stdout: error?.stdout || "",
+      stderr: error?.stderr || error?.message || "",
+      exitCode: error?.code ?? null,
+      signal: error?.signal,
+      error
+    };
+  }
+}
+
+function parseYarnOutput(output, packageJson) {
+  const directJson = tryJson(output);
+  if (directJson.ok) {
+    if (directJson.value?.type === "table") return parseYarnTable(directJson.value.data, packageJson);
+    return normalizeOutdatedData(directJson.value, packageJson);
+  }
+
+  const records = output
+    .split(/\r?\n/)
+    .map((line) => line.trim())
+    .filter(Boolean)
+    .map((line) => tryJson(line))
+    .filter((record) => record.ok)
+    .map((record) => record.value);
+
+  const tableRecord = records.find((record) => record?.type === "table" && record.data);
+  if (tableRecord) return parseYarnTable(tableRecord.data, packageJson);
+
+  const packageRecords = records
+    .filter((record) => record?.data && typeof record.data === "object")
+    .map((record) => record.data);
+  if (packageRecords.length > 0) return normalizeOutdatedData(packageRecords, packageJson);
+
+  throw new Error("No parseable Yarn outdated JSON records were found.");
+}
+
+function parseYarnTable(data, packageJson) {
+  const head = Array.isArray(data?.head) ? data.head.map((value) => String(value).toLowerCase()) : [];
+  const body = Array.isArray(data?.body) ? data.body : [];
+
+  return body.map((row) => {
+    const entry = {
+      name: row[indexOf(head, "package", 0)],
+      current: row[indexOf(head, "current", 1)],
+      wanted: row[indexOf(head, "wanted", 2)],
+      latest: row[indexOf(head, "latest", 3)],
+      type: row[indexOf(head, "package type", 4)]
+    };
+    return normalizePackageEntry(entry.name, entry, packageJson);
+  }).filter(Boolean);
+}
+
+function normalizePackageEntry(name, entry, packageJson) {
+  if (!name || !entry || typeof entry !== "object") return null;
+
+  const current = stringValue(entry.current ?? entry.installed ?? entry.version);
+  const wanted = stringValue(entry.wanted ?? entry.latest);
+  const latest = stringValue(entry.latest ?? entry.wanted);
+
+  if (!current && !wanted && !latest) return null;
+
+  return {
+    name: String(name),
+    current: current || "unknown",
+    wanted: wanted || "unknown",
+    latest: latest || "unknown",
+    type: stringValue(entry.type ?? entry.dependencyType ?? entry.packageType) || inferDependencyType(name, packageJson)
+  };
+}
+
+function inferDependencyType(name, packageJson = {}) {
+  if (Object.hasOwn(packageJson.dependencies || {}, name)) return "dependencies";
+  if (Object.hasOwn(packageJson.devDependencies || {}, name)) return "devDependencies";
+  if (Object.hasOwn(packageJson.peerDependencies || {}, name)) return "peerDependencies";
+  if (Object.hasOwn(packageJson.optionalDependencies || {}, name)) return "optionalDependencies";
+  return "dependencies";
+}
+
+function checkResult(result) {
+  return {
+    id: CHECK_ID,
+    title: CHECK_TITLE,
+    category: "dependencies",
+    details: [],
+    ...result
+  };
+}
+
+function hasCommandFailure(result) {
+  return result.exitCode !== 0 && result.exitCode !== 1;
+}
+
+function hasEmptyExitOneFailure(result) {
+  return result.exitCode === 1 && isEmptyOutput(result.stdout) && !isEmptyOutput(result.stderr);
+}
+
+function isMissingCommand(result) {
+  return result.exitCode === "ENOENT" || result.error?.code === "ENOENT";
+}
+
+function isEmptyOutput(value) {
+  return String(value || "").trim() === "";
+}
+
+function renderCommand(result) {
+  return [result.command, ...(result.args || [])].filter(Boolean).join(" ");
+}
+
+function trimText(value) {
+  const normalized = String(value || "").trim();
+  return normalized.length > 1000 ? `${normalized.slice(0, 1000)}...` : normalized;
+}
+
+function tryJson(value) {
+  try {
+    return { ok: true, value: JSON.parse(value) };
+  } catch {
+    return { ok: false, value: null };
+  }
+}
+
+function indexOf(head, name, fallback) {
+  const index = head.indexOf(name);
+  return index === -1 ? fallback : index;
+}
+
+function stringValue(value) {
+  if (value === undefined || value === null || value === "") return "";
+  return String(value);
+}

package/src/checks/electron/remote-content-with-node.js

@@ -0,0 +1,52 @@
+import { hasText, lineFromOffset, readNearby } from "../helpers.js";
+
+const LOAD_REMOTE_RE =
+  /\b(?:mainWindow|win|window|BrowserWindow|\w+)\.loadURL\s*\(\s*(?:["'`]https?:\/\/[^"'`]+["'`]|remoteUrl|process\.env\.\w+|config\.url)\s*\)/g;
+const RISKY_WEB_PREFERENCES_RE =
+  /\b(?:nodeIntegration\s*:\s*true|contextIsolation\s*:\s*false|webSecurity\s*:\s*false|allowRunningInsecureContent\s*:\s*true|experimentalFeatures\s*:\s*true|enableRemoteModule\s*:\s*true|sandbox\s*:\s*false)\b/i;
+
+export default {
+  id: "electron.remote-content-with-node",
+  title: "Electron remote content should not run with privileged renderer settings",
+  category: "electron",
+  severity: "critical",
+  tags: ["electron", "desktop", "xss", "heuristic"],
+  run: async (context) => {
+    if (!(await isElectronProject(context))) return [];
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (!/\.[cm]?[jt]s$/.test(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/loadURL\s*\(/.test(content) || !RISKY_WEB_PREFERENCES_RE.test(content)) continue;
+
+      LOAD_REMOTE_RE.lastIndex = 0;
+      let match;
+      while ((match = LOAD_REMOTE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 20);
+        if (!RISKY_WEB_PREFERENCES_RE.test(nearby) && !RISKY_WEB_PREFERENCES_RE.test(content)) continue;
+
+        findings.push({
+          message: "Electron appears to load remote content while enabling risky renderer privileges.",
+          file,
+          line,
+          recommendation:
+            "Avoid loading remote content with Node.js integration. Use nodeIntegration: false, contextIsolation: true, sandbox: true, webSecurity: true and a minimal preload bridge.",
+          heuristic: true,
+          metadata: { pattern: "remote-load-url-with-risky-web-preferences" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+async function isElectronProject(context) {
+  return (
+    context.hasDependency("electron") ||
+    context.hasDevDependency("electron") ||
+    (await hasText(context, /\b(?:from\s+["'`]electron["'`]|require\s*\(\s*["'`]electron["'`]\s*\)|BrowserWindow)\b/g))
+  );
+}

package/src/checks/files/path-traversal-risk.js

@@ -0,0 +1,62 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const FILE_PATH_SINK_RE =
+  /\b(?:fs\.(?:readFile|readFileSync|writeFile|writeFileSync|createReadStream|createWriteStream)|res\.sendFile|reply\.sendFile|path\.(?:join|resolve)|Bun\.file|Deno\.readTextFile)\s*\(/g;
+const REQUEST_PATH_SOURCE_RE =
+  /\breq\.(?:query|params|body)\.(?:file|path|filename|filepath|filePath)\b|\brequest\.query\b|\bsearchParams\.get\s*\(\s*["'`](?:file|path)["'`]\s*\)|\bformData\.get\s*\(\s*["'`](?:file|path)["'`]\s*\)/i;
+const GENERIC_PATH_SOURCE_RE = /\b(?:userInput|filename|filepath|filePath|pathParam)\b/i;
+const PATH_MITIGATION_RE =
+  /\b(?:path\.basename|allowlist|allowedPaths|sanitizeFilename|safeJoin|validatePath|rejectPathSeparators)\b|(?:\bnormalize\b[\s\S]{0,160}\bstartsWith\s*\()|(?:\bstartsWith\s*\([\s\S]{0,160}\bbaseDir\b)|(?:\.\.["'`][\s\S]{0,120}(?:includes|reject|throw|return))/i;
+
+export default {
+  id: "files.path-traversal-risk",
+  title: "File path operations should not trust request input",
+  category: "files",
+  severity: "critical",
+  tags: ["files", "path-traversal", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\b(?:fs\.|sendFile|path\.|Bun\.file|Deno\.readTextFile)\b/.test(content)) continue;
+
+      FILE_PATH_SINK_RE.lastIndex = 0;
+      let match;
+      while ((match = FILE_PATH_SINK_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (!hasRiskyPathSource(file, nearby)) continue;
+        if (PATH_MITIGATION_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to be used in a file path operation.",
+          file,
+          line,
+          recommendation:
+            "Normalize and validate paths, use allowlists, reject traversal sequences, and ensure resolved paths stay inside an intended base directory.",
+          heuristic: true,
+          metadata: { pattern: "user-input-file-path" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function hasRiskyPathSource(file, nearby) {
+  if (REQUEST_PATH_SOURCE_RE.test(nearby)) return true;
+  if (!GENERIC_PATH_SOURCE_RE.test(nearby)) return false;
+  return (
+    isServerOrApiFile(file) ||
+    file.startsWith("server/") ||
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/server/") ||
+    file.includes("/routes/") ||
+    file.includes("/controllers/") ||
+    file.includes("/handlers/")
+  );
+}

package/src/checks/frontend/localstorage-token.js

@@ -0,0 +1,42 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const STORAGE_TOKEN_RE =
+  /\b(?:window\.)?(localStorage|sessionStorage)\.setItem\s*\(\s*["'`]([^"'`]*(?:token|jwt|access|refresh|auth|bearer|session)[^"'`]*)["'`]/gi;
+
+export default {
+  id: "frontend.localstorage-token",
+  title: "Authentication tokens should not live in browser storage by default",
+  category: "frontend",
+  severity: "high",
+  tags: ["frontend", "auth", "xss", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/(?:localStorage|sessionStorage)\.setItem/.test(content)) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        STORAGE_TOKEN_RE.lastIndex = 0;
+        let match;
+        while ((match = STORAGE_TOKEN_RE.exec(lines[index])) !== null) {
+          findings.push({
+            message: "Authentication tokens appear to be stored in localStorage or sessionStorage.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Prefer secure, httpOnly cookies for session tokens where appropriate. If browser storage is unavoidable, minimize token lifetime and harden XSS protections.",
+            heuristic: true,
+            metadata: {
+              pattern: `${match[1]}.setItem(auth-token-key)`
+            }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/index.js

@@ -10,6 +10,7 @@ import lockfileMissing from "./dependencies/lockfile-missing.js";
 import multipleLockfiles from "./dependencies/multiple-lockfiles.js";
 import installScriptsRisk from "./dependencies/install-scripts-risk.js";
 import auditScriptMissing from "./dependencies/audit-script-missing.js";
+import outdatedPackages from "./dependencies/outdated-packages.js";
 import packageScriptsMissing from "./package/scripts-missing.js";
 import noCiConfig from "./ci/no-ci-config.js";
 import npmInstallInsteadOfNpmCi from "./ci/npm-install-instead-of-npm-ci.js";
@@ -27,6 +28,10 @@ import missingAuthOnRoutes from "./auth/missing-auth-on-routes.js";
 import idorRisk from "./auth/idor-risk.js";
 import jwtSecretWeakOrFallback from "./auth/jwt-secret-weak-or-fallback.js";
 import passwordHashingMissing from "./auth/password-hashing-missing.js";
+import missingCsrfProtection from "./auth/missing-csrf-protection.js";
+import missingMethodGuard from "./api/missing-method-guard.js";
+import massAssignmentRisk from "./api/mass-assignment-risk.js";
+import noSchemaValidation from "./api/no-schema-validation.js";
 import rawSqlInterpolation from "./database/raw-sql-interpolation.js";
 import noMigrations from "./database/no-migrations.js";
 import insecureSessionCookie from "./cookies/insecure-session-cookie.js";
@@ -34,10 +39,16 @@ import publicExecutableUpload from "./uploads/public-executable-upload.js";
 import missingRawBody from "./webhooks/missing-raw-body.js";
 import promptInjectionRisk from "./llm/prompt-injection-risk.js";
 import sourceMapsProduction from "./frontend/sourcemaps-production.js";
+import localstorageToken from "./frontend/localstorage-token.js";
+import pathTraversalRisk from "./files/path-traversal-risk.js";
+import userControlledFetch from "./ssrf/user-controlled-fetch.js";
+import nextPublicServerCodeRisk from "./next/public-server-code-risk.js";
 import debugProduction from "./config/debug-production.js";
 import electronNodeIntegrationEnabled from "./electron/node-integration-enabled.js";
 import electronContextIsolationDisabled from "./electron/context-isolation-disabled.js";
+import electronRemoteContentWithNode from "./electron/remote-content-with-node.js";
 import tauriDangerousAllowlistOrCapabilities from "./tauri/dangerous-allowlist-or-capabilities.js";
+import tauriRemoteUrlPermissionsRisk from "./tauri/remote-url-permissions-risk.js";
 
 export default [
   gitignoreMissing,
@@ -52,6 +63,7 @@ export default [
   multipleLockfiles,
   installScriptsRisk,
   auditScriptMissing,
+  outdatedPackages,
   packageScriptsMissing,
   noCiConfig,
   npmInstallInsteadOfNpmCi,
@@ -69,6 +81,10 @@ export default [
   idorRisk,
   jwtSecretWeakOrFallback,
   passwordHashingMissing,
+  missingCsrfProtection,
+  missingMethodGuard,
+  massAssignmentRisk,
+  noSchemaValidation,
   rawSqlInterpolation,
   noMigrations,
   insecureSessionCookie,
@@ -76,8 +92,14 @@ export default [
   missingRawBody,
   promptInjectionRisk,
   sourceMapsProduction,
+  localstorageToken,
+  pathTraversalRisk,
+  userControlledFetch,
+  nextPublicServerCodeRisk,
   debugProduction,
   electronNodeIntegrationEnabled,
   electronContextIsolationDisabled,
-  tauriDangerousAllowlistOrCapabilities
+  electronRemoteContentWithNode,
+  tauriDangerousAllowlistOrCapabilities,
+  tauriRemoteUrlPermissionsRisk
 ];

package/src/checks/next/public-server-code-risk.js

@@ -0,0 +1,64 @@
+import { hasText, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const CLIENT_DIRECTIVE_RE = /^\s*["'`]use client["'`]\s*;?/m;
+const RISKY_CLIENT_CODE_RE =
+  /\bfrom\s+["'`](?:node:)?(?:fs|path|child_process|crypto)["'`]|\brequire\s*\(\s*["'`](?:node:)?(?:fs|path|child_process|crypto)["'`]\s*\)|\bfrom\s+["'`](?:@prisma\/client|server-only|@\/lib\/(?:db|prisma)|(?:\.\.\/)+lib\/(?:db|prisma))["'`]|\brequire\s*\(\s*["'`](?:@prisma\/client|server-only|@\/lib\/(?:db|prisma)|(?:\.\.\/)+lib\/(?:db|prisma))["'`]\s*\)|\bprisma\b|\bprocess\.env\.(?:DATABASE_URL|JWT_SECRET|STRIPE_SECRET_KEY|OPENAI_API_KEY)\b/g;
+
+export default {
+  id: "next.public-server-code-risk",
+  title: "Next.js Client Components should not import server-only code",
+  category: "next",
+  severity: "high",
+  tags: ["next", "frontend", "server-only", "heuristic"],
+  run: async (context) => {
+    if (!(await isNextProject(context))) return [];
+
+    const findings = [];
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isNextClientCandidate(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !CLIENT_DIRECTIVE_RE.test(content)) continue;
+
+      RISKY_CLIENT_CODE_RE.lastIndex = 0;
+      let match;
+      while ((match = RISKY_CLIENT_CODE_RE.exec(content)) !== null) {
+        findings.push({
+          message: "A Next.js Client Component appears to import server-side code or access server-only configuration.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Move database, filesystem, secret and server-only logic into Server Components, API routes or server actions. Keep Client Components free of backend dependencies.",
+          heuristic: true,
+          metadata: { pattern: classifyRisk(match[0]) }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+async function isNextProject(context) {
+  return (
+    context.hasDependency("next") ||
+    context.hasDevDependency("next") ||
+    context.allFiles.some((file) => /^next\.config\.[cm]?[jt]s$/.test(file)) ||
+    context.allFiles.some((file) => file.startsWith("app/")) ||
+    (await hasText(context, /\bfrom\s+["'`]next\//g, { files: context.textFiles.filter((file) => /\.[cm]?[jt]sx?$/.test(file)) }))
+  );
+}
+
+function isNextClientCandidate(file) {
+  return (
+    /\.(?:js|jsx|ts|tsx)$/.test(file) &&
+    (file.startsWith("app/") || file.startsWith("components/") || file.includes("/components/"))
+  );
+}
+
+function classifyRisk(value) {
+  if (/process\.env/.test(value)) return "server-secret-env-access";
+  if (/prisma|db/.test(value)) return "database-import";
+  if (/child_process/.test(value)) return "child-process-import";
+  if (/server-only/.test(value)) return "server-only-import";
+  return "node-server-import";
+}

package/src/checks/ssrf/user-controlled-fetch.js

@@ -0,0 +1,60 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, isFrontendFile, isServerOrApiFile, lineFromOffset, readNearby } from "../helpers.js";
+
+const HTTP_REQUEST_RE =
+  /\b(?:fetch|got|request|ky)\s*\(|\baxios\.(?:get|post|put|patch|delete|request)\s*\(|\baxios\s*\(\s*{|\bundici\.request\s*\(|\bhttps?\.get\s*\(/g;
+const USER_URL_SOURCE_RE =
+  /\breq\.(?:body|query|params)\.url\b|\bsearchParams\.get\s*\(\s*["'`]url["'`]\s*\)|\bformData\.get\s*\(\s*["'`]url["'`]\s*\)|\b(?:requestUrl|userUrl|targetUrl|webhookUrl|callbackUrl|imageUrl|avatarUrl)\b/i;
+const URL_ALLOWLIST_RE =
+  /\b(?:allowlist|allowedHosts|allowedDomains|hostname\s*(?:===|!==|==|!=)|private\s+IP|localhost\s+block|metadata\s+IP|validateUrl|isAllowedUrl|isPrivateIp|blockPrivate|blockLocalhost)\b|169\.254\.169\.254|127\.0\.0\.1|localhost/i;
+
+export default {
+  id: "ssrf.user-controlled-fetch",
+  title: "Server-side HTTP requests should not trust user-controlled URLs",
+  category: "ssrf",
+  severity: "critical",
+  tags: ["ssrf", "api", "network", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file) || isFrontendFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !isLikelyServerSide(file, content) || !/\b(?:fetch|axios|got|request|undici|http|https|ky)\b/.test(content)) continue;
+
+      HTTP_REQUEST_RE.lastIndex = 0;
+      let match;
+      while ((match = HTTP_REQUEST_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = await readNearby(context, file, line, 8);
+        if (!USER_URL_SOURCE_RE.test(nearby)) continue;
+        if (URL_ALLOWLIST_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to flow into a server-side HTTP request.",
+          file,
+          line,
+          recommendation:
+            "Use strict URL allowlists, block private/internal IP ranges including 127.0.0.1, localhost, 169.254.169.254 and RFC1918 ranges, and avoid fetching arbitrary user-provided URLs.",
+          heuristic: true,
+          metadata: { pattern: "user-controlled-server-fetch" }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isLikelyServerSide(file, content) {
+  return (
+    isServerOrApiFile(file) ||
+    /^server\.[cm]?[jt]s$/.test(file) ||
+    file.startsWith("server/") ||
+    file.startsWith("routes/") ||
+    file.startsWith("api/") ||
+    file.includes("/server/") ||
+    file.includes("/routes/") ||
+    file.includes("/controllers/") ||
+    /\b(?:req\.body|req\.query|req\.params|request\.json|ctx\.request|express|fastify|hono)\b/.test(content)
+  );
+}