lean-claudient-core 0.1.0

package/src/security/owaspScanner.ts

@@ -0,0 +1,390 @@
+/**
+ * OWASP Top 10 Security Scanner
+ * Scans code for common security vulnerabilities
+ */
+
+export interface SecurityFinding {
+  category: string;
+  cweId: string;
+  cvssScore: number;
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+  title: string;
+  description: string;
+  location?: {
+    file?: string;
+    line?: number;
+    column?: number;
+  };
+  remediation: string;
+  evidence?: string;
+}
+
+const PATTERNS = {
+  // A01: SQL Injection - unparameterized queries
+  SQL_INJECTION: [
+    /\.query\s*\(\s*["'`]\s*SELECT\s+/gi,
+    /\.execute\s*\(\s*["'`]\s*SELECT\s+/gi,
+    /sql\s*=\s*["'`]\s*SELECT\s+.*\+\s*.*\s*["'`]/gi,
+    /db\.run\s*\(\s*["'`]\s*SELECT\s+/gi,
+  ],
+
+  // A02: Cryptographic Failures - hardcoded secrets
+  HARDCODED_SECRETS: [
+    /password\s*[=:]\s*["']([^"']+)["']/gi,
+    /secret\s*[=:]\s*["']([^"']+)["']/gi,
+    /token\s*[=:]\s*["']([^"']+)["']/gi,
+  ],
+
+  // A03: Injection - eval and Function constructor
+  DANGEROUS_EVAL: [
+    /\beval\s*\(/g,
+    /Function\s*\(\s*["'`]/g,
+    /setTimeout\s*\(\s*["'`]/g,
+    /setInterval\s*\(\s*["'`]/g,
+  ],
+
+  // A03: Injection - template injection
+  TEMPLATE_INJECTION: [
+    /render\s*\(\s*userInput\s*\)/gi,
+    /interpolate\s*\(\s*userInput\s*\)/gi,
+    /template\s*\(\s*["'`]\s*\$\{.*\}\s*["'`]/gi,
+  ],
+
+  // A04: Insecure Object Deserialization
+  INSECURE_DESERIALIZATION: [
+    /JSON\.parse\s*\(\s*userInput\s*\)/gi,
+    /pickle\.loads\s*\(/gi,
+    /unserialize\s*\(/gi,
+  ],
+
+  // A05: Security Misconfiguration - CORS
+  INSECURE_CORS: [
+    /Access-Control-Allow-Origin\s*[:=]\s*["']\*["']/gi,
+    /cors\s*\(\s*\{[^}]*origin[^}]*\*[^}]*\}/gi,
+  ],
+
+  // A06: Vulnerable Components - known patterns
+  VULNERABLE_DEPENDENCIES: [
+    /require\s*\(\s*["']lodash\.template["']\s*\)/gi,
+    /require\s*\(\s*["']express-unless["']\s*\)/gi,
+  ],
+
+  // A07: Missing Authentication
+  MISSING_AUTH: [
+    /router\.get\s*\(\s*["'](\/admin|\/api).*["']\s*,\s*\(req,\s*res\)\s*=>/gi,
+    /router\.post\s*\(\s*["'](\/admin|\/api).*["']\s*,\s*\(req,\s*res\)\s*=>/gi,
+  ],
+
+  // A09: Using Components with Known Vulnerabilities
+  OUTDATED_DEPENDENCIES: [
+    /"name":\s*"lodash"[^}]*"version":\s*"[0-3]\.[0-9]+\.[0-9]+"/gi,
+    /"name":\s*"express"[^}]*"version":\s*"[34]\.[0-9]+\.[0-9]+"/gi,
+  ],
+
+  // A10: SSRF - unvalidated redirects
+  UNVALIDATED_REDIRECT: [
+    /redirect\s*\(\s*userInput\s*\)/gi,
+    /window\.location\s*=\s*userInput/gi,
+    /res\.redirect\s*\(\s*req\.query\.url\s*\)/gi,
+  ],
+
+  // XSS - user input in HTML
+  XSS_VULNERABILITY: [
+    /innerHTML\s*=\s*userInput/gi,
+    /innerHTML\s*=\s*req\.query\./gi,
+    /innerHTML\s*=\s*req\.body\./gi,
+    /dangerouslySetInnerHTML/g,
+  ],
+};
+
+/**
+ * Scan code for SQL injection vulnerabilities
+ */
+export function scanSQLInjection(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.SQL_INJECTION) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A01: SQL Injection',
+        cweId: 'CWE-89',
+        cvssScore: 9.8,
+        severity: 'CRITICAL',
+        title: 'Potential SQL Injection Vulnerability',
+        description:
+          'Unparameterized SQL query detected. This can be exploited to modify or retrieve database contents.',
+        remediation:
+          'Use parameterized queries or prepared statements with bound parameters.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for hardcoded secrets
+ */
+export function scanHardcodedSecrets(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.HARDCODED_SECRETS) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A02: Cryptographic Failures',
+        cweId: 'CWE-798',
+        cvssScore: 9.8,
+        severity: 'CRITICAL',
+        title: 'Hardcoded Secret Detected',
+        description: 'Credentials or secrets hardcoded in source code. This enables credential theft.',
+        remediation:
+          'Store credentials in environment variables, secure vaults (AWS Secrets Manager, HashiCorp Vault), or .env files (never committed).',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for dangerous use of eval()
+ */
+export function scanDangerousEval(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.DANGEROUS_EVAL) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A03: Injection',
+        cweId: 'CWE-95',
+        cvssScore: 8.6,
+        severity: 'HIGH',
+        title: 'Use of eval() or similar Dangerous Function',
+        description:
+          'eval() and similar functions can execute arbitrary code and should be avoided.',
+        remediation:
+          'Replace eval() with safer alternatives: JSON.parse() for JSON, or template literals with proper escaping.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for XSS vulnerabilities
+ */
+export function scanXSS(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.XSS_VULNERABILITY) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A03: Injection - XSS',
+        cweId: 'CWE-79',
+        cvssScore: 6.1,
+        severity: 'MEDIUM',
+        title: 'Potential Cross-Site Scripting (XSS) Vulnerability',
+        description:
+          'User input is directly inserted into HTML without sanitization. This allows attackers to inject malicious scripts.',
+        remediation:
+          'Use context-aware output encoding, Content Security Policy (CSP), and templating engines that auto-escape by default.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for insecure deserialization
+ */
+export function scanInsecureDeserialization(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.INSECURE_DESERIALIZATION) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A08: Software and Data Integrity Failures',
+        cweId: 'CWE-502',
+        cvssScore: 8.1,
+        severity: 'HIGH',
+        title: 'Insecure Deserialization',
+        description:
+          'Deserializing untrusted data can lead to remote code execution or object injection attacks.',
+        remediation:
+          'Validate and sanitize all input before deserialization. Consider using safer formats like JSON instead of binary serialization.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for CORS misconfigurations
+ */
+export function scanCORSMisconfiguration(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.INSECURE_CORS) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A01: Broken Access Control',
+        cweId: 'CWE-942',
+        cvssScore: 5.3,
+        severity: 'MEDIUM',
+        title: 'Insecure CORS Configuration',
+        description:
+          'CORS allows all origins (*). This enables any website to access resources, bypassing same-origin policy.',
+        remediation:
+          'Explicitly specify allowed origins in CORS configuration. Never use wildcard (*) for sensitive APIs.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for unvalidated redirects
+ */
+export function scanUnvalidatedRedirect(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.UNVALIDATED_REDIRECT) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A01: Broken Access Control',
+        cweId: 'CWE-601',
+        cvssScore: 6.1,
+        severity: 'MEDIUM',
+        title: 'Unvalidated Redirect',
+        description:
+          'Redirecting to user-supplied URL without validation enables phishing attacks.',
+        remediation:
+          'Validate redirect URLs against a whitelist. Use relative URLs when possible.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for missing authentication on sensitive endpoints
+ */
+export function scanMissingAuth(code: string): SecurityFinding[] {
+  const findings: SecurityFinding[] = [];
+
+  for (const pattern of PATTERNS.MISSING_AUTH) {
+    const matches = code.matchAll(pattern);
+    for (const match of matches) {
+      findings.push({
+        category: 'A01: Broken Authentication',
+        cweId: 'CWE-306',
+        cvssScore: 8.1,
+        severity: 'HIGH',
+        title: 'Missing Authentication on Sensitive Endpoint',
+        description: 'Admin or API endpoints without authentication checks are exposed to unauthorized access.',
+        remediation:
+          'Add authentication and authorization checks to all sensitive endpoints. Use middleware to enforce authentication.',
+        evidence: match[0].substring(0, 60),
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Main scanner - run all checks
+ */
+export function scanCode(code: string): SecurityFinding[] {
+  if (!code || typeof code !== 'string') {
+    return [];
+  }
+
+  const findings: SecurityFinding[] = [
+    ...scanSQLInjection(code),
+    ...scanHardcodedSecrets(code),
+    ...scanDangerousEval(code),
+    ...scanXSS(code),
+    ...scanInsecureDeserialization(code),
+    ...scanCORSMisconfiguration(code),
+    ...scanUnvalidatedRedirect(code),
+    ...scanMissingAuth(code),
+  ];
+
+  // Deduplicate and sort by severity
+  const unique = Array.from(new Map(findings.map((f) => [f.evidence, f])).values());
+  const severityOrder = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+
+  return unique.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+}
+
+/**
+ * Scan file with location information
+ */
+export async function scanFileForVulnerabilities(
+  filePath: string,
+  content: string
+): Promise<SecurityFinding[]> {
+  const findings = scanCode(content);
+  return findings.map((f) => ({
+    ...f,
+    location: {
+      file: filePath,
+      ...f.location,
+    },
+  }));
+}
+
+/**
+ * Generate security report
+ */
+export function generateSecurityReport(findings: SecurityFinding[]): {
+  summary: {
+    total: number;
+    critical: number;
+    high: number;
+    medium: number;
+    low: number;
+  };
+  findings: SecurityFinding[];
+  riskLevel: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'NONE';
+} {
+  const summary = {
+    total: findings.length,
+    critical: findings.filter((f) => f.severity === 'CRITICAL').length,
+    high: findings.filter((f) => f.severity === 'HIGH').length,
+    medium: findings.filter((f) => f.severity === 'MEDIUM').length,
+    low: findings.filter((f) => f.severity === 'LOW').length,
+  };
+
+  let riskLevel: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'NONE' = 'NONE';
+  if (summary.critical > 0) riskLevel = 'CRITICAL';
+  else if (summary.high > 0) riskLevel = 'HIGH';
+  else if (summary.medium > 0) riskLevel = 'MEDIUM';
+  else if (summary.low > 0) riskLevel = 'LOW';
+
+  return {
+    summary,
+    findings,
+    riskLevel,
+  };
+}