npm - octocode-cli - Versions diffs - 1.2.5 → 1.2.7 - Mend

octocode-cli 1.2.5 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (303) hide show

package/skills/octocode-code-engineer/src/collectors/effects.ts ADDED Viewed

@@ -0,0 +1,332 @@
+import * as ts from 'typescript';
+import { isFunctionLike } from '../ast/helpers.js';
+import { getLineAndCharacter } from '../common/utils.js';
+import type { TopLevelEffect } from '../types/index.js';
+const SYNC_IO_TOP_LEVEL = new Set([
+  'readFileSync',
+  'writeFileSync',
+  'existsSync',
+  'mkdirSync',
+  'readdirSync',
+  'statSync',
+  'lstatSync',
+  'unlinkSync',
+  'rmdirSync',
+  'renameSync',
+  'copyFileSync',
+  'accessSync',
+  'appendFileSync',
+  'chmodSync',
+  'chownSync',
+  'openSync',
+  'closeSync',
+]);
+const EXEC_SYNC_TOP_LEVEL = new Set(['execSync', 'execFileSync', 'spawnSync']);
+export function collectTopLevelEffects(
+  sourceFile: ts.SourceFile,
+  _fileRelative: string
+): TopLevelEffect[] {
+  const effects: TopLevelEffect[] = [];
+  for (const stmt of sourceFile.statements) {
+    if (ts.isImportDeclaration(stmt)) {
+      if (!stmt.importClause) {
+        const spec = stmt.moduleSpecifier;
+        const moduleName = ts.isStringLiteral(spec) ? spec.text : '<unknown>';
+        const loc = getLineAndCharacter(sourceFile, stmt);
+        effects.push({
+          kind: 'side-effect-import',
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+          detail: `import '${moduleName}'`,
+          weight: 3,
+          confidence: 'medium',
+        });
+      }
+      continue;
+    }
+    if (ts.isExportDeclaration(stmt) || ts.isExportAssignment(stmt)) continue;
+    if (
+      ts.isTypeAliasDeclaration(stmt) ||
+      ts.isInterfaceDeclaration(stmt) ||
+      ts.isEnumDeclaration(stmt)
+    )
+      continue;
+    if (ts.isModuleDeclaration(stmt)) continue;
+    if (
+      isFunctionLike(stmt) ||
+      ts.isFunctionDeclaration(stmt) ||
+      ts.isClassDeclaration(stmt)
+    )
+      continue;
+    if (ts.isVariableStatement(stmt)) {
+      for (const decl of stmt.declarationList.declarations) {
+        if (decl.initializer) {
+          scanExpressionForEffects(decl.initializer, sourceFile, effects);
+        }
+      }
+      continue;
+    }
+    if (ts.isExpressionStatement(stmt)) {
+      scanExpressionForEffects(stmt.expression, sourceFile, effects);
+      continue;
+    }
+    if (
+      ts.isIfStatement(stmt) ||
+      ts.isForStatement(stmt) ||
+      ts.isWhileStatement(stmt) ||
+      ts.isDoStatement(stmt) ||
+      ts.isForOfStatement(stmt) ||
+      ts.isForInStatement(stmt) ||
+      ts.isSwitchStatement(stmt) ||
+      ts.isTryStatement(stmt)
+    ) {
+      scanNodeForEffects(stmt, sourceFile, effects);
+    }
+  }
+  return effects;
+}
+function scanExpressionForEffects(
+  expr: ts.Expression,
+  sourceFile: ts.SourceFile,
+  effects: TopLevelEffect[]
+): void {
+  if (ts.isAwaitExpression(expr)) {
+    const loc = getLineAndCharacter(sourceFile, expr);
+    effects.push({
+      kind: 'top-level-await',
+      lineStart: loc.lineStart,
+      lineEnd: loc.lineEnd,
+      detail: 'top-level await',
+      weight: 4,
+      confidence: 'high',
+    });
+    return;
+  }
+  if (ts.isCallExpression(expr)) {
+    classifyCall(expr, sourceFile, effects);
+    return;
+  }
+  if (
+    ts.isNewExpression(expr) &&
+    expr.expression.getText(sourceFile) === 'Function'
+  ) {
+    const loc = getLineAndCharacter(sourceFile, expr);
+    effects.push({
+      kind: 'eval',
+      lineStart: loc.lineStart,
+      lineEnd: loc.lineEnd,
+      detail: 'new Function()',
+      weight: 8,
+      confidence: 'high',
+    });
+    return;
+  }
+  if (
+    ts.isBinaryExpression(expr) &&
+    expr.operatorToken.kind === ts.SyntaxKind.EqualsToken
+  ) {
+    if (ts.isCallExpression(expr.right)) {
+      classifyCall(expr.right, sourceFile, effects);
+    }
+  }
+}
+function classifyCall(
+  call: ts.CallExpression,
+  sourceFile: ts.SourceFile,
+  effects: TopLevelEffect[]
+): void {
+  const text = call.expression.getText(sourceFile);
+  const loc = getLineAndCharacter(sourceFile, call);
+  if (text === 'eval' || text === 'Function') {
+    effects.push({
+      kind: 'eval',
+      lineStart: loc.lineStart,
+      lineEnd: loc.lineEnd,
+      detail: `${text}()`,
+      weight: 8,
+      confidence: 'high',
+    });
+    return;
+  }
+  if (text === 'setInterval' || text === 'setTimeout') {
+    effects.push({
+      kind: 'timer',
+      lineStart: loc.lineStart,
+      lineEnd: loc.lineEnd,
+      detail: `${text}()`,
+      weight: 4,
+      confidence: 'high',
+    });
+    return;
+  }
+  if (ts.isPropertyAccessExpression(call.expression)) {
+    const method = call.expression.name.getText(sourceFile);
+    const obj = call.expression.expression.getText(sourceFile);
+    if (EXEC_SYNC_TOP_LEVEL.has(method) || EXEC_SYNC_TOP_LEVEL.has(text)) {
+      effects.push({
+        kind: 'exec-sync',
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+        detail: text,
+        weight: 8,
+        confidence: 'high',
+      });
+      return;
+    }
+    if (SYNC_IO_TOP_LEVEL.has(method)) {
+      effects.push({
+        kind: 'sync-io',
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+        detail: text,
+        weight: 5,
+        confidence: 'high',
+      });
+      return;
+    }
+    if (
+      obj === 'process' &&
+      (method === 'on' || method === 'once' || method === 'addListener')
+    ) {
+      effects.push({
+        kind: 'process-handler',
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+        detail: `${text}()`,
+        weight: 4,
+        confidence: 'high',
+      });
+      return;
+    }
+    if (
+      method === 'addEventListener' ||
+      method === 'on' ||
+      method === 'addListener'
+    ) {
+      effects.push({
+        kind: 'listener',
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+        detail: `${text}()`,
+        weight: 4,
+        confidence: 'medium',
+      });
+      return;
+    }
+  }
+  if (ts.isCallExpression(call.expression) || text === 'import') {
+    if (
+      text.startsWith('import(') ||
+      (ts.isCallExpression(call) &&
+        call.expression.kind === ts.SyntaxKind.ImportKeyword)
+    ) {
+      effects.push({
+        kind: 'dynamic-import',
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+        detail: 'dynamic import()',
+        weight: 3,
+        confidence: 'medium',
+      });
+    }
+  }
+}
+function scanNodeForEffects(
+  node: ts.Node,
+  sourceFile: ts.SourceFile,
+  effects: TopLevelEffect[]
+): void {
+  if (isFunctionLike(node) || ts.isClassDeclaration(node)) return;
+  if (ts.isCallExpression(node)) {
+    classifyCall(node, sourceFile, effects);
+    return;
+  }
+  if (ts.isAwaitExpression(node)) {
+    const loc = getLineAndCharacter(sourceFile, node);
+    effects.push({
+      kind: 'top-level-await',
+      lineStart: loc.lineStart,
+      lineEnd: loc.lineEnd,
+      detail: 'top-level await',
+      weight: 4,
+      confidence: 'high',
+    });
+    return;
+  }
+  if (
+    ts.isNewExpression(node) &&
+    node.expression.getText(sourceFile) === 'Function'
+  ) {
+    const loc = getLineAndCharacter(sourceFile, node);
+    effects.push({
+      kind: 'eval',
+      lineStart: loc.lineStart,
+      lineEnd: loc.lineEnd,
+      detail: 'new Function()',
+      weight: 8,
+      confidence: 'high',
+    });
+    return;
+  }
+  ts.forEachChild(node, child =>
+    scanNodeForEffects(child, sourceFile, effects)
+  );
+}
+export function findParentBlock(
+  node: ts.Node
+): ts.Block | ts.SourceFile | null {
+  let current = node.parent;
+  while (current) {
+    if (ts.isBlock(current) || ts.isSourceFile(current)) return current;
+    current = current.parent;
+  }
+  return null;
+}
+export function blockContainsCall(
+  block: ts.Node,
+  sourceFile: ts.SourceFile,
+  callName: string
+): boolean {
+  let found = false;
+  const search = (n: ts.Node): void => {
+    if (found) return;
+    if (
+      ts.isCallExpression(n) &&
+      n.expression.getText(sourceFile) === callName
+    ) {
+      found = true;
+      return;
+    }
+    ts.forEachChild(n, search);
+  };
+  ts.forEachChild(block, search);
+  return found;
+}

package/skills/octocode-code-engineer/src/collectors/input-sources.test.ts ADDED Viewed

@@ -0,0 +1,144 @@
+import * as ts from 'typescript';
+import { describe, expect, it } from 'vitest';
+import { collectInputSourceProfile } from './input-sources.js';
+import type { FileEntry } from '../types/index.js';
+function parse(code: string, fileName = '/repo/src/test.ts'): ts.SourceFile {
+  return ts.createSourceFile(fileName, code, ts.ScriptTarget.ESNext, true);
+}
+function emptyFileEntry(): FileEntry {
+  return {
+    package: 'test',
+    file: 'test.ts',
+    parseEngine: 'typescript',
+    nodeCount: 0,
+    kindCounts: {},
+    functions: [],
+    flows: [],
+    dependencyProfile: {
+      internalDependencies: [],
+      externalDependencies: [],
+      unresolvedDependencies: [],
+      declaredExports: [],
+      importedSymbols: [],
+      reExports: [],
+    },
+  };
+}
+describe('collectInputSourceProfile', () => {
+  it('function with req param → detects input source with high confidence', () => {
+    const code = `function handler(req: Request) { return req.url; }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBeGreaterThan(0);
+    const src = fileEntry.inputSources![0];
+    expect(src.sourceParams).toContain('req');
+    expect(src.paramConfidence).toBe('high');
+  });
+  it('function with input param → detects with medium confidence', () => {
+    const code = `function process(input: string) { return input.trim(); }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBeGreaterThan(0);
+    const src = fileEntry.inputSources![0];
+    expect(src.sourceParams).toContain('input');
+    expect(src.paramConfidence).toBe('medium');
+  });
+  it('function with count param → no input source detected', () => {
+    const code = `function increment(count: number) { return count + 1; }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBe(0);
+  });
+  it('function with req and eval() sink → hasSinkInBody=true', () => {
+    const code = `function bad(req: Request) { eval(req.body); }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBeGreaterThan(0);
+    const src = fileEntry.inputSources![0];
+    expect(src.hasSinkInBody).toBe(true);
+    expect(src.sinkKinds).toContain('eval');
+  });
+  it('function with validation (typeof check) → hasValidation=true', () => {
+    const code = `function safe(input: unknown) { if (typeof input === 'string') return input; }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBeGreaterThan(0);
+    const src = fileEntry.inputSources![0];
+    expect(src.hasValidation).toBe(true);
+  });
+  it('no false positive on non-source parameters', () => {
+    const code = `function util(count: number, limit: number) { return count * limit; }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBe(0);
+  });
+  it('detects instanceof validation for source param', () => {
+    const code = `
+      class UserInput {}
+      function parseReq(req: unknown) {
+        if (req instanceof UserInput) return req;
+        return null;
+      }
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBeGreaterThan(0);
+    expect(fileEntry.inputSources![0].hasValidation).toBe(true);
+  });
+  it('detects optional chaining usage as validation signal', () => {
+    const code = `
+      function read(req: { body?: { id?: string } }) {
+        return req?.body?.id ?? '';
+      }
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBe(1);
+    expect(fileEntry.inputSources![0].hasValidation).toBe(true);
+  });
+  it('captures callsWithInputArgs when source param is passed to sink-like calls', () => {
+    const code = `
+      function route(req: any, res: any) {
+        res.send(req.body);
+        return req;
+      }
+    `;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectInputSourceProfile(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.inputSources).toBeDefined();
+    expect(fileEntry.inputSources!.length).toBe(1);
+    const calls = fileEntry.inputSources![0].callsWithInputArgs;
+    expect(calls.length).toBeGreaterThan(0);
+    expect(calls.some(c => c.callee.includes('res.send'))).toBe(true);
+  });
+});

package/skills/octocode-code-engineer/src/collectors/input-sources.ts ADDED Viewed

@@ -0,0 +1,196 @@
+import * as ts from 'typescript';
+import { getFunctionName, isFunctionLike } from '../ast/helpers.js';
+import { getLineAndCharacter } from '../common/utils.js';
+import type { FileEntry, InputSourceInfo } from '../types/index.js';
+const HIGH_CONFIDENCE_PARAM =
+  /^(req|request|body|rawBody|formData|payload|query|headers|params)$/i;
+const MEDIUM_CONFIDENCE_PARAM = /^(input|event|message)$/i;
+const SOURCE_PARAM_PATTERNS =
+  /^(req|request|body|input|payload|data|params|query|headers|event|message|ctx|context|args|rawBody|formData)/i;
+function getParamConfidence(params: string[]): 'high' | 'medium' | 'low' {
+  let hasMedium = false;
+  for (const p of params) {
+    if (HIGH_CONFIDENCE_PARAM.test(p)) return 'high';
+    if (MEDIUM_CONFIDENCE_PARAM.test(p)) hasMedium = true;
+  }
+  return hasMedium ? 'medium' : 'low';
+}
+const SINK_CALL_PATTERNS: Array<{ pattern: RegExp; kind: string }> = [
+  { pattern: /^eval$/, kind: 'eval' },
+  { pattern: /^Function$/, kind: 'eval' },
+  { pattern: /\.exec(Sync)?$/, kind: 'exec' },
+  { pattern: /^child_process\.(exec|spawn|fork)/, kind: 'exec' },
+  { pattern: /^execSync$|^spawnSync$/, kind: 'exec' },
+  { pattern: /^cp\.exec$|^cp\.spawn$/, kind: 'exec' },
+  { pattern: /\.innerHTML$|\.outerHTML$/, kind: 'innerHTML' },
+  { pattern: /dangerouslySetInnerHTML/, kind: 'innerHTML' },
+  { pattern: /\.query$|\.execute$/, kind: 'sql' },
+  { pattern: /\.redirect$/, kind: 'redirect' },
+  { pattern: /\.send$|\.json$|\.write$/, kind: 'response' },
+  { pattern: /fs\.(writeFile|appendFile)/, kind: 'fs-write' },
+  { pattern: /writeFileSync|appendFileSync/, kind: 'fs-write' },
+  { pattern: /fs\.(readFile|readFileSync|createReadStream)/, kind: 'fs-read' },
+  { pattern: /readFileSync|readFile/, kind: 'fs-read' },
+  { pattern: /path\.(resolve|join)/, kind: 'path-resolve' },
+  { pattern: /^fetch$/, kind: 'ssrf' },
+  { pattern: /^(http|https)\.(request|get)/, kind: 'ssrf' },
+  { pattern: /axios\.(get|post|put|delete|request)/, kind: 'ssrf' },
+];
+const SCHEMA_VALIDATOR_PATTERNS =
+  /\.(validate|parse|safeParse|parseAsync|check|verify)\s*\(/;
+const VALIDATOR_LIB_PATTERNS =
+  /^(z|zod|Joi|yup|ajv|validator|superstruct|io-ts)\./;
+export function collectInputSourceProfile(
+  sourceFile: ts.SourceFile,
+  _fileRelative: string,
+  fileEntry: FileEntry
+): void {
+  const inputSources: InputSourceInfo[] = [];
+  const visitFn = (node: ts.Node): void => {
+    if (!isFunctionLike(node)) {
+      ts.forEachChild(node, visitFn);
+      return;
+    }
+    const fnNode = node as ts.FunctionLikeDeclaration;
+    const params = fnNode.parameters;
+    const sourceParams: string[] = [];
+    for (const p of params) {
+      const name = p.name.getText(sourceFile);
+      if (SOURCE_PARAM_PATTERNS.test(name)) sourceParams.push(name);
+    }
+    if (sourceParams.length === 0) {
+      ts.forEachChild(node, visitFn);
+      return;
+    }
+    const body = fnNode.body;
+    if (!body) {
+      ts.forEachChild(node, visitFn);
+      return;
+    }
+    const sinkKinds = new Set<string>();
+    let hasValidation = false;
+    const callsWithInputArgs: Array<{ callee: string; lineStart: number }> = [];
+    const sourceParamSet = new Set(sourceParams);
+    const walkBody = (child: ts.Node): void => {
+      if (isFunctionLike(child) && child !== node) return;
+      if (ts.isCallExpression(child)) {
+        const callText = child.expression.getText(sourceFile);
+        for (const sink of SINK_CALL_PATTERNS) {
+          if (sink.pattern.test(callText)) {
+            sinkKinds.add(sink.kind);
+            break;
+          }
+        }
+        if (
+          SCHEMA_VALIDATOR_PATTERNS.test(callText) ||
+          VALIDATOR_LIB_PATTERNS.test(callText)
+        ) {
+          hasValidation = true;
+        }
+        for (const arg of child.arguments) {
+          const argText = arg.getText(sourceFile);
+          for (const sp of sourceParamSet) {
+            if (
+              argText === sp ||
+              argText.startsWith(sp + '.') ||
+              argText.startsWith(sp + '[')
+            ) {
+              const loc = getLineAndCharacter(sourceFile, child);
+              callsWithInputArgs.push({
+                callee: callText,
+                lineStart: loc.lineStart,
+              });
+              break;
+            }
+          }
+        }
+      }
+      if (ts.isTypeOfExpression(child)) {
+        const operand = child.expression.getText(sourceFile);
+        if (sourceParamSet.has(operand)) hasValidation = true;
+      }
+      if (
+        ts.isPrefixUnaryExpression(child) &&
+        child.operator === ts.SyntaxKind.ExclamationToken
+      ) {
+        const operand = child.operand.getText(sourceFile);
+        if (sourceParamSet.has(operand)) hasValidation = true;
+      }
+      if (ts.isIfStatement(child) || ts.isConditionalExpression(child)) {
+        const cond = ts.isIfStatement(child)
+          ? child.expression
+          : child.condition;
+        const condText = cond.getText(sourceFile);
+        for (const sp of sourceParamSet) {
+          if (condText.includes(sp)) {
+            hasValidation = true;
+            break;
+          }
+        }
+      }
+      if (
+        ts.isCallExpression(child) &&
+        child.expression.getText(sourceFile).endsWith('instanceof')
+      ) {
+        hasValidation = true;
+      }
+      if (
+        ts.isBinaryExpression(child) &&
+        child.operatorToken.kind === ts.SyntaxKind.InstanceOfKeyword
+      ) {
+        const leftText = child.left.getText(sourceFile);
+        if (sourceParamSet.has(leftText)) hasValidation = true;
+      }
+      ts.forEachChild(child, walkBody);
+    };
+    ts.forEachChild(body, walkBody);
+    if (ts.isTemplateExpression(body) || ts.isBlock(body)) {
+      const bodyText = body.getText(sourceFile);
+      for (const sp of sourceParamSet) {
+        if (bodyText.includes(sp + '?.')) {
+          hasValidation = true;
+          break;
+        }
+      }
+    }
+    const fnLoc = getLineAndCharacter(sourceFile, node);
+    const fnName = getFunctionName(node, sourceFile);
+    inputSources.push({
+      functionName: fnName,
+      lineStart: fnLoc.lineStart,
+      lineEnd: fnLoc.lineEnd,
+      sourceParams,
+      hasSinkInBody: sinkKinds.size > 0,
+      sinkKinds: [...sinkKinds],
+      hasValidation,
+      callsWithInputArgs,
+      paramConfidence: getParamConfidence(sourceParams),
+    });
+    ts.forEachChild(node, visitFn);
+  };
+  ts.forEachChild(sourceFile, visitFn);
+  fileEntry.inputSources = inputSources;
+}