musubix2 0.5.35 → 0.5.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/.musubix-managed +1 -1
- package/dist/assets/skills-manifest.json +1 -1
- package/dist/cli.js +175 -1
- package/dist/index.js +175 -1
- package/package.json +1 -1
package/.claude/.musubix-managed
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"generator":"musubix2","version":"0.5.
|
|
1
|
+
{"generator":"musubix2","version":"0.5.36","timestamp":"2026-07-09T23:23:30.681Z"}
|
package/dist/cli.js
CHANGED
|
@@ -8232,7 +8232,8 @@ __export(dist_exports5, {
|
|
|
8232
8232
|
createSecretDetector: () => createSecretDetector,
|
|
8233
8233
|
createSecurityScanner: () => createSecurityScanner,
|
|
8234
8234
|
isLikelySecret: () => isLikelySecret,
|
|
8235
|
-
isNotFormatMarker: () => isNotFormatMarker
|
|
8235
|
+
isNotFormatMarker: () => isNotFormatMarker,
|
|
8236
|
+
isNotUrlPlaceholder: () => isNotUrlPlaceholder
|
|
8236
8237
|
});
|
|
8237
8238
|
function getLineNumber(code, index) {
|
|
8238
8239
|
return code.substring(0, index).split("\n").length;
|
|
@@ -8292,6 +8293,14 @@ function isNotFormatMarker(matchText) {
|
|
|
8292
8293
|
return false;
|
|
8293
8294
|
return true;
|
|
8294
8295
|
}
|
|
8296
|
+
function isNotUrlPlaceholder(matchText) {
|
|
8297
|
+
const pass = matchText.match(/:\/\/[^:@/]+:([^:@/]+)@/)?.[1] ?? "";
|
|
8298
|
+
if (/^(pass(word)?|secret|changeme|example|xxx+|\*+|test)$/i.test(pass))
|
|
8299
|
+
return false;
|
|
8300
|
+
if (/[$#]\{|<|%s|:\w+$/.test(pass))
|
|
8301
|
+
return false;
|
|
8302
|
+
return true;
|
|
8303
|
+
}
|
|
8295
8304
|
function blankNonCode(code, hashComments) {
|
|
8296
8305
|
const out = code.split("");
|
|
8297
8306
|
const n = code.length;
|
|
@@ -8426,6 +8435,57 @@ var init_dist5 = __esm({
|
|
|
8426
8435
|
cweId: "CWE-798",
|
|
8427
8436
|
confidence: 0.85
|
|
8428
8437
|
},
|
|
8438
|
+
{
|
|
8439
|
+
// GitHub personal access / OAuth / server / refresh tokens.
|
|
8440
|
+
regex: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g,
|
|
8441
|
+
severity: "critical",
|
|
8442
|
+
type: "secret-leak",
|
|
8443
|
+
description: "GitHub token detected",
|
|
8444
|
+
suggestion: "Revoke the token and load it from a secrets manager",
|
|
8445
|
+
cweId: "CWE-798",
|
|
8446
|
+
confidence: 0.95
|
|
8447
|
+
},
|
|
8448
|
+
{
|
|
8449
|
+
// Slack tokens (bot/user/app/refresh/legacy).
|
|
8450
|
+
regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
|
|
8451
|
+
severity: "critical",
|
|
8452
|
+
type: "secret-leak",
|
|
8453
|
+
description: "Slack token detected",
|
|
8454
|
+
suggestion: "Revoke the token and load it from a secrets manager",
|
|
8455
|
+
cweId: "CWE-798",
|
|
8456
|
+
confidence: 0.9
|
|
8457
|
+
},
|
|
8458
|
+
{
|
|
8459
|
+
// Stripe / similar `sk_live_` / `rk_live_` secret keys.
|
|
8460
|
+
regex: /\b[sr]k_live_[A-Za-z0-9]{16,}\b/g,
|
|
8461
|
+
severity: "critical",
|
|
8462
|
+
type: "secret-leak",
|
|
8463
|
+
description: "Stripe live secret key detected",
|
|
8464
|
+
suggestion: "Revoke the key and load it from a secrets manager",
|
|
8465
|
+
cweId: "CWE-798",
|
|
8466
|
+
confidence: 0.95
|
|
8467
|
+
},
|
|
8468
|
+
{
|
|
8469
|
+
// Google API key.
|
|
8470
|
+
regex: /\bAIza[A-Za-z0-9_\-]{35}\b/g,
|
|
8471
|
+
severity: "high",
|
|
8472
|
+
type: "secret-leak",
|
|
8473
|
+
description: "Google API key detected",
|
|
8474
|
+
suggestion: "Restrict/revoke the key and load it from a secrets manager",
|
|
8475
|
+
cweId: "CWE-798",
|
|
8476
|
+
confidence: 0.9
|
|
8477
|
+
},
|
|
8478
|
+
{
|
|
8479
|
+
// Credentials embedded in a connection URL: scheme://user:pass@host.
|
|
8480
|
+
regex: /\b[a-z][a-z0-9+.-]*:\/\/[^\s:'"@/]+:[^\s:'"@/]+@[^\s'"/]+/g,
|
|
8481
|
+
severity: "high",
|
|
8482
|
+
type: "hardcoded-credential",
|
|
8483
|
+
description: "Credentials in a connection string / URL detected",
|
|
8484
|
+
suggestion: "Move the username/password out of the URL into a secrets manager",
|
|
8485
|
+
cweId: "CWE-798",
|
|
8486
|
+
confidence: 0.75,
|
|
8487
|
+
validate: isNotUrlPlaceholder
|
|
8488
|
+
},
|
|
8429
8489
|
{
|
|
8430
8490
|
regex: /['"][A-Za-z0-9]{32,}['"]/g,
|
|
8431
8491
|
severity: "medium",
|
|
@@ -8514,6 +8574,120 @@ var init_dist5 = __esm({
|
|
|
8514
8574
|
suggestion: "Use parameterized queries instead of template literals",
|
|
8515
8575
|
cweId: "CWE-89",
|
|
8516
8576
|
confidence: 0.75
|
|
8577
|
+
},
|
|
8578
|
+
// --- Command injection ---------------------------------------------------
|
|
8579
|
+
{
|
|
8580
|
+
regex: /\bos\.system\s*\(/g,
|
|
8581
|
+
severity: "critical",
|
|
8582
|
+
type: "injection",
|
|
8583
|
+
description: "Use of os.system() \u2014 potential command injection",
|
|
8584
|
+
suggestion: "Use subprocess with an argument list and shell=False",
|
|
8585
|
+
cweId: "CWE-78",
|
|
8586
|
+
confidence: 0.85
|
|
8587
|
+
},
|
|
8588
|
+
{
|
|
8589
|
+
regex: /\bsubprocess\.\w+\([^)]*shell\s*=\s*True/g,
|
|
8590
|
+
severity: "high",
|
|
8591
|
+
type: "injection",
|
|
8592
|
+
description: "subprocess call with shell=True \u2014 potential command injection",
|
|
8593
|
+
suggestion: "Pass an argument list and use shell=False",
|
|
8594
|
+
cweId: "CWE-78",
|
|
8595
|
+
confidence: 0.8
|
|
8596
|
+
},
|
|
8597
|
+
{
|
|
8598
|
+
regex: /(?<![.\w>:])(?:shell_exec|passthru|proc_open|popen)\s*\(/g,
|
|
8599
|
+
severity: "critical",
|
|
8600
|
+
type: "injection",
|
|
8601
|
+
description: "Use of a shell-execution function \u2014 potential command injection",
|
|
8602
|
+
suggestion: "Avoid shell execution of untrusted input; use safe APIs with argument arrays",
|
|
8603
|
+
cweId: "CWE-78",
|
|
8604
|
+
confidence: 0.8
|
|
8605
|
+
},
|
|
8606
|
+
{
|
|
8607
|
+
regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)system\s*\(/g,
|
|
8608
|
+
severity: "high",
|
|
8609
|
+
type: "injection",
|
|
8610
|
+
description: "Use of system() \u2014 potential command injection",
|
|
8611
|
+
suggestion: "Avoid passing untrusted input to system(); use safe execution APIs",
|
|
8612
|
+
cweId: "CWE-78",
|
|
8613
|
+
confidence: 0.65
|
|
8614
|
+
},
|
|
8615
|
+
{
|
|
8616
|
+
regex: /Runtime\.getRuntime\(\)\s*\.\s*exec\s*\(/g,
|
|
8617
|
+
severity: "critical",
|
|
8618
|
+
type: "injection",
|
|
8619
|
+
description: "Runtime.exec() \u2014 potential command injection",
|
|
8620
|
+
suggestion: "Use ProcessBuilder with an argument list and validate inputs",
|
|
8621
|
+
cweId: "CWE-78",
|
|
8622
|
+
confidence: 0.8
|
|
8623
|
+
},
|
|
8624
|
+
// --- SQL injection (formatting/concatenation in DB calls) ----------------
|
|
8625
|
+
{
|
|
8626
|
+
regex: /\b(?:execute|query|raw|prepare|executemany)\s*\(\s*f['"]/g,
|
|
8627
|
+
severity: "high",
|
|
8628
|
+
type: "injection",
|
|
8629
|
+
description: "Potential SQL injection \u2014 f-string in a database call",
|
|
8630
|
+
suggestion: "Use parameterized queries; never build SQL with f-strings",
|
|
8631
|
+
cweId: "CWE-89",
|
|
8632
|
+
confidence: 0.75
|
|
8633
|
+
},
|
|
8634
|
+
{
|
|
8635
|
+
regex: /\b(?:execute|query|raw|prepare)\s*\([^)]*\.format\s*\(/g,
|
|
8636
|
+
severity: "high",
|
|
8637
|
+
type: "injection",
|
|
8638
|
+
description: "Potential SQL injection \u2014 .format() building a query",
|
|
8639
|
+
suggestion: "Use parameterized queries instead of str.format()",
|
|
8640
|
+
cweId: "CWE-89",
|
|
8641
|
+
confidence: 0.7
|
|
8642
|
+
},
|
|
8643
|
+
{
|
|
8644
|
+
regex: /\b(?:execute|query|raw)\s*\([^)]*\+/g,
|
|
8645
|
+
severity: "high",
|
|
8646
|
+
type: "injection",
|
|
8647
|
+
description: "Potential SQL injection \u2014 string concatenation in a query call",
|
|
8648
|
+
suggestion: "Use parameterized queries instead of string concatenation",
|
|
8649
|
+
cweId: "CWE-89",
|
|
8650
|
+
confidence: 0.7
|
|
8651
|
+
},
|
|
8652
|
+
// --- Insecure deserialization -------------------------------------------
|
|
8653
|
+
// --- Insecure deserialization (low severity: real but commonly intentional
|
|
8654
|
+
// in framework internals; triage with --fail-on) ------------------------
|
|
8655
|
+
{
|
|
8656
|
+
regex: /\bpickle\.loads?\s*\(/g,
|
|
8657
|
+
severity: "low",
|
|
8658
|
+
type: "injection",
|
|
8659
|
+
description: "Insecure deserialization \u2014 pickle.load(s) (unsafe on untrusted data)",
|
|
8660
|
+
suggestion: "Never unpickle untrusted data; use a safe format such as JSON",
|
|
8661
|
+
cweId: "CWE-502",
|
|
8662
|
+
confidence: 0.6
|
|
8663
|
+
},
|
|
8664
|
+
{
|
|
8665
|
+
regex: /\byaml\.load\s*\(/g,
|
|
8666
|
+
severity: "low",
|
|
8667
|
+
type: "injection",
|
|
8668
|
+
description: "Insecure deserialization \u2014 yaml.load() without SafeLoader",
|
|
8669
|
+
suggestion: "Use yaml.safe_load() instead of yaml.load()",
|
|
8670
|
+
cweId: "CWE-502",
|
|
8671
|
+
confidence: 0.6
|
|
8672
|
+
},
|
|
8673
|
+
{
|
|
8674
|
+
regex: /(?<![.\w>:])unserialize\s*\(/g,
|
|
8675
|
+
severity: "low",
|
|
8676
|
+
type: "injection",
|
|
8677
|
+
description: "Insecure deserialization \u2014 unserialize() (unsafe on untrusted data)",
|
|
8678
|
+
suggestion: "Avoid unserialize() on untrusted input; use JSON",
|
|
8679
|
+
cweId: "CWE-502",
|
|
8680
|
+
confidence: 0.6
|
|
8681
|
+
},
|
|
8682
|
+
// --- Weak cryptography (low: often used for non-security checksums) -------
|
|
8683
|
+
{
|
|
8684
|
+
regex: /\bhashlib\.(?:md5|sha1)\s*\(|createHash\s*\(\s*['"](?:md5|sha1)['"]/g,
|
|
8685
|
+
severity: "low",
|
|
8686
|
+
type: "injection",
|
|
8687
|
+
description: "Weak cryptographic hash (MD5/SHA-1) detected",
|
|
8688
|
+
suggestion: "Use SHA-256+ (or bcrypt/argon2 for passwords) instead of MD5/SHA-1",
|
|
8689
|
+
cweId: "CWE-327",
|
|
8690
|
+
confidence: 0.5
|
|
8517
8691
|
}
|
|
8518
8692
|
];
|
|
8519
8693
|
analyze(code, filePath) {
|
package/dist/index.js
CHANGED
|
@@ -8232,7 +8232,8 @@ __export(dist_exports5, {
|
|
|
8232
8232
|
createSecretDetector: () => createSecretDetector,
|
|
8233
8233
|
createSecurityScanner: () => createSecurityScanner,
|
|
8234
8234
|
isLikelySecret: () => isLikelySecret,
|
|
8235
|
-
isNotFormatMarker: () => isNotFormatMarker
|
|
8235
|
+
isNotFormatMarker: () => isNotFormatMarker,
|
|
8236
|
+
isNotUrlPlaceholder: () => isNotUrlPlaceholder
|
|
8236
8237
|
});
|
|
8237
8238
|
function getLineNumber(code, index) {
|
|
8238
8239
|
return code.substring(0, index).split("\n").length;
|
|
@@ -8292,6 +8293,14 @@ function isNotFormatMarker(matchText) {
|
|
|
8292
8293
|
return false;
|
|
8293
8294
|
return true;
|
|
8294
8295
|
}
|
|
8296
|
+
function isNotUrlPlaceholder(matchText) {
|
|
8297
|
+
const pass = matchText.match(/:\/\/[^:@/]+:([^:@/]+)@/)?.[1] ?? "";
|
|
8298
|
+
if (/^(pass(word)?|secret|changeme|example|xxx+|\*+|test)$/i.test(pass))
|
|
8299
|
+
return false;
|
|
8300
|
+
if (/[$#]\{|<|%s|:\w+$/.test(pass))
|
|
8301
|
+
return false;
|
|
8302
|
+
return true;
|
|
8303
|
+
}
|
|
8295
8304
|
function blankNonCode(code, hashComments) {
|
|
8296
8305
|
const out = code.split("");
|
|
8297
8306
|
const n = code.length;
|
|
@@ -8426,6 +8435,57 @@ var init_dist5 = __esm({
|
|
|
8426
8435
|
cweId: "CWE-798",
|
|
8427
8436
|
confidence: 0.85
|
|
8428
8437
|
},
|
|
8438
|
+
{
|
|
8439
|
+
// GitHub personal access / OAuth / server / refresh tokens.
|
|
8440
|
+
regex: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g,
|
|
8441
|
+
severity: "critical",
|
|
8442
|
+
type: "secret-leak",
|
|
8443
|
+
description: "GitHub token detected",
|
|
8444
|
+
suggestion: "Revoke the token and load it from a secrets manager",
|
|
8445
|
+
cweId: "CWE-798",
|
|
8446
|
+
confidence: 0.95
|
|
8447
|
+
},
|
|
8448
|
+
{
|
|
8449
|
+
// Slack tokens (bot/user/app/refresh/legacy).
|
|
8450
|
+
regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
|
|
8451
|
+
severity: "critical",
|
|
8452
|
+
type: "secret-leak",
|
|
8453
|
+
description: "Slack token detected",
|
|
8454
|
+
suggestion: "Revoke the token and load it from a secrets manager",
|
|
8455
|
+
cweId: "CWE-798",
|
|
8456
|
+
confidence: 0.9
|
|
8457
|
+
},
|
|
8458
|
+
{
|
|
8459
|
+
// Stripe / similar `sk_live_` / `rk_live_` secret keys.
|
|
8460
|
+
regex: /\b[sr]k_live_[A-Za-z0-9]{16,}\b/g,
|
|
8461
|
+
severity: "critical",
|
|
8462
|
+
type: "secret-leak",
|
|
8463
|
+
description: "Stripe live secret key detected",
|
|
8464
|
+
suggestion: "Revoke the key and load it from a secrets manager",
|
|
8465
|
+
cweId: "CWE-798",
|
|
8466
|
+
confidence: 0.95
|
|
8467
|
+
},
|
|
8468
|
+
{
|
|
8469
|
+
// Google API key.
|
|
8470
|
+
regex: /\bAIza[A-Za-z0-9_\-]{35}\b/g,
|
|
8471
|
+
severity: "high",
|
|
8472
|
+
type: "secret-leak",
|
|
8473
|
+
description: "Google API key detected",
|
|
8474
|
+
suggestion: "Restrict/revoke the key and load it from a secrets manager",
|
|
8475
|
+
cweId: "CWE-798",
|
|
8476
|
+
confidence: 0.9
|
|
8477
|
+
},
|
|
8478
|
+
{
|
|
8479
|
+
// Credentials embedded in a connection URL: scheme://user:pass@host.
|
|
8480
|
+
regex: /\b[a-z][a-z0-9+.-]*:\/\/[^\s:'"@/]+:[^\s:'"@/]+@[^\s'"/]+/g,
|
|
8481
|
+
severity: "high",
|
|
8482
|
+
type: "hardcoded-credential",
|
|
8483
|
+
description: "Credentials in a connection string / URL detected",
|
|
8484
|
+
suggestion: "Move the username/password out of the URL into a secrets manager",
|
|
8485
|
+
cweId: "CWE-798",
|
|
8486
|
+
confidence: 0.75,
|
|
8487
|
+
validate: isNotUrlPlaceholder
|
|
8488
|
+
},
|
|
8429
8489
|
{
|
|
8430
8490
|
regex: /['"][A-Za-z0-9]{32,}['"]/g,
|
|
8431
8491
|
severity: "medium",
|
|
@@ -8514,6 +8574,120 @@ var init_dist5 = __esm({
|
|
|
8514
8574
|
suggestion: "Use parameterized queries instead of template literals",
|
|
8515
8575
|
cweId: "CWE-89",
|
|
8516
8576
|
confidence: 0.75
|
|
8577
|
+
},
|
|
8578
|
+
// --- Command injection ---------------------------------------------------
|
|
8579
|
+
{
|
|
8580
|
+
regex: /\bos\.system\s*\(/g,
|
|
8581
|
+
severity: "critical",
|
|
8582
|
+
type: "injection",
|
|
8583
|
+
description: "Use of os.system() \u2014 potential command injection",
|
|
8584
|
+
suggestion: "Use subprocess with an argument list and shell=False",
|
|
8585
|
+
cweId: "CWE-78",
|
|
8586
|
+
confidence: 0.85
|
|
8587
|
+
},
|
|
8588
|
+
{
|
|
8589
|
+
regex: /\bsubprocess\.\w+\([^)]*shell\s*=\s*True/g,
|
|
8590
|
+
severity: "high",
|
|
8591
|
+
type: "injection",
|
|
8592
|
+
description: "subprocess call with shell=True \u2014 potential command injection",
|
|
8593
|
+
suggestion: "Pass an argument list and use shell=False",
|
|
8594
|
+
cweId: "CWE-78",
|
|
8595
|
+
confidence: 0.8
|
|
8596
|
+
},
|
|
8597
|
+
{
|
|
8598
|
+
regex: /(?<![.\w>:])(?:shell_exec|passthru|proc_open|popen)\s*\(/g,
|
|
8599
|
+
severity: "critical",
|
|
8600
|
+
type: "injection",
|
|
8601
|
+
description: "Use of a shell-execution function \u2014 potential command injection",
|
|
8602
|
+
suggestion: "Avoid shell execution of untrusted input; use safe APIs with argument arrays",
|
|
8603
|
+
cweId: "CWE-78",
|
|
8604
|
+
confidence: 0.8
|
|
8605
|
+
},
|
|
8606
|
+
{
|
|
8607
|
+
regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)system\s*\(/g,
|
|
8608
|
+
severity: "high",
|
|
8609
|
+
type: "injection",
|
|
8610
|
+
description: "Use of system() \u2014 potential command injection",
|
|
8611
|
+
suggestion: "Avoid passing untrusted input to system(); use safe execution APIs",
|
|
8612
|
+
cweId: "CWE-78",
|
|
8613
|
+
confidence: 0.65
|
|
8614
|
+
},
|
|
8615
|
+
{
|
|
8616
|
+
regex: /Runtime\.getRuntime\(\)\s*\.\s*exec\s*\(/g,
|
|
8617
|
+
severity: "critical",
|
|
8618
|
+
type: "injection",
|
|
8619
|
+
description: "Runtime.exec() \u2014 potential command injection",
|
|
8620
|
+
suggestion: "Use ProcessBuilder with an argument list and validate inputs",
|
|
8621
|
+
cweId: "CWE-78",
|
|
8622
|
+
confidence: 0.8
|
|
8623
|
+
},
|
|
8624
|
+
// --- SQL injection (formatting/concatenation in DB calls) ----------------
|
|
8625
|
+
{
|
|
8626
|
+
regex: /\b(?:execute|query|raw|prepare|executemany)\s*\(\s*f['"]/g,
|
|
8627
|
+
severity: "high",
|
|
8628
|
+
type: "injection",
|
|
8629
|
+
description: "Potential SQL injection \u2014 f-string in a database call",
|
|
8630
|
+
suggestion: "Use parameterized queries; never build SQL with f-strings",
|
|
8631
|
+
cweId: "CWE-89",
|
|
8632
|
+
confidence: 0.75
|
|
8633
|
+
},
|
|
8634
|
+
{
|
|
8635
|
+
regex: /\b(?:execute|query|raw|prepare)\s*\([^)]*\.format\s*\(/g,
|
|
8636
|
+
severity: "high",
|
|
8637
|
+
type: "injection",
|
|
8638
|
+
description: "Potential SQL injection \u2014 .format() building a query",
|
|
8639
|
+
suggestion: "Use parameterized queries instead of str.format()",
|
|
8640
|
+
cweId: "CWE-89",
|
|
8641
|
+
confidence: 0.7
|
|
8642
|
+
},
|
|
8643
|
+
{
|
|
8644
|
+
regex: /\b(?:execute|query|raw)\s*\([^)]*\+/g,
|
|
8645
|
+
severity: "high",
|
|
8646
|
+
type: "injection",
|
|
8647
|
+
description: "Potential SQL injection \u2014 string concatenation in a query call",
|
|
8648
|
+
suggestion: "Use parameterized queries instead of string concatenation",
|
|
8649
|
+
cweId: "CWE-89",
|
|
8650
|
+
confidence: 0.7
|
|
8651
|
+
},
|
|
8652
|
+
// --- Insecure deserialization -------------------------------------------
|
|
8653
|
+
// --- Insecure deserialization (low severity: real but commonly intentional
|
|
8654
|
+
// in framework internals; triage with --fail-on) ------------------------
|
|
8655
|
+
{
|
|
8656
|
+
regex: /\bpickle\.loads?\s*\(/g,
|
|
8657
|
+
severity: "low",
|
|
8658
|
+
type: "injection",
|
|
8659
|
+
description: "Insecure deserialization \u2014 pickle.load(s) (unsafe on untrusted data)",
|
|
8660
|
+
suggestion: "Never unpickle untrusted data; use a safe format such as JSON",
|
|
8661
|
+
cweId: "CWE-502",
|
|
8662
|
+
confidence: 0.6
|
|
8663
|
+
},
|
|
8664
|
+
{
|
|
8665
|
+
regex: /\byaml\.load\s*\(/g,
|
|
8666
|
+
severity: "low",
|
|
8667
|
+
type: "injection",
|
|
8668
|
+
description: "Insecure deserialization \u2014 yaml.load() without SafeLoader",
|
|
8669
|
+
suggestion: "Use yaml.safe_load() instead of yaml.load()",
|
|
8670
|
+
cweId: "CWE-502",
|
|
8671
|
+
confidence: 0.6
|
|
8672
|
+
},
|
|
8673
|
+
{
|
|
8674
|
+
regex: /(?<![.\w>:])unserialize\s*\(/g,
|
|
8675
|
+
severity: "low",
|
|
8676
|
+
type: "injection",
|
|
8677
|
+
description: "Insecure deserialization \u2014 unserialize() (unsafe on untrusted data)",
|
|
8678
|
+
suggestion: "Avoid unserialize() on untrusted input; use JSON",
|
|
8679
|
+
cweId: "CWE-502",
|
|
8680
|
+
confidence: 0.6
|
|
8681
|
+
},
|
|
8682
|
+
// --- Weak cryptography (low: often used for non-security checksums) -------
|
|
8683
|
+
{
|
|
8684
|
+
regex: /\bhashlib\.(?:md5|sha1)\s*\(|createHash\s*\(\s*['"](?:md5|sha1)['"]/g,
|
|
8685
|
+
severity: "low",
|
|
8686
|
+
type: "injection",
|
|
8687
|
+
description: "Weak cryptographic hash (MD5/SHA-1) detected",
|
|
8688
|
+
suggestion: "Use SHA-256+ (or bcrypt/argon2 for passwords) instead of MD5/SHA-1",
|
|
8689
|
+
cweId: "CWE-327",
|
|
8690
|
+
confidence: 0.5
|
|
8517
8691
|
}
|
|
8518
8692
|
];
|
|
8519
8693
|
analyze(code, filePath) {
|