npm - octocode-cli - Versions diffs - 1.2.6 → 1.2.7 - Mend

octocode-cli 1.2.6 → 1.2.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (303) hide show

package/skills/octocode-code-engineer/src/collectors/performance.test.ts ADDED Viewed

@@ -0,0 +1,82 @@
+import * as ts from 'typescript';
+import { describe, expect, it } from 'vitest';
+import { collectPerformanceData } from './performance.js';
+import type { FileEntry } from '../types/index.js';
+function parse(code: string, fileName = '/repo/src/test.ts'): ts.SourceFile {
+  return ts.createSourceFile(fileName, code, ts.ScriptTarget.ESNext, true);
+}
+function emptyFileEntry(): FileEntry {
+  return {
+    package: 'test',
+    file: 'test.ts',
+    parseEngine: 'typescript',
+    nodeCount: 0,
+    kindCounts: {},
+    functions: [],
+    flows: [],
+    dependencyProfile: {
+      internalDependencies: [],
+      externalDependencies: [],
+      unresolvedDependencies: [],
+      declaredExports: [],
+      importedSymbols: [],
+      reExports: [],
+    },
+  };
+}
+describe('collectPerformanceData', () => {
+  it('collects await-in-loop locations', () => {
+    const sourceFile = parse(`
+      async function run(items: string[]) {
+        for (const item of items) {
+          await fetch(item);
+        }
+      }
+    `);
+    const fileEntry = emptyFileEntry();
+    collectPerformanceData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.awaitInLoopLocations?.length).toBeGreaterThan(0);
+  });
+  it('collects sync io calls', () => {
+    const sourceFile = parse(
+      `function read() { fs.readFileSync('/tmp/a.txt'); }`
+    );
+    const fileEntry = emptyFileEntry();
+    collectPerformanceData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.syncIoCalls?.some(c => c.name === 'readFileSync')).toBe(
+      true
+    );
+  });
+  it('collects timer calls and marks cleanup when clearTimeout exists', () => {
+    const sourceFile = parse(`
+      function run() {
+        setTimeout(() => {}, 5);
+        clearTimeout(1 as unknown as NodeJS.Timeout);
+      }
+    `);
+    const fileEntry = emptyFileEntry();
+    collectPerformanceData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.timerCalls?.length).toBe(1);
+    expect(fileEntry.timerCalls?.[0].kind).toBe('setTimeout');
+    expect(fileEntry.timerCalls?.[0].hasCleanup).toBe(true);
+  });
+  it('collects listener registrations and removals', () => {
+    const sourceFile = parse(`
+      const emitter = new EventEmitter();
+      emitter.on('data', () => {});
+      emitter.off('data', () => {});
+    `);
+    const fileEntry = emptyFileEntry();
+    collectPerformanceData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.listenerRegistrations?.length).toBeGreaterThan(0);
+    expect(fileEntry.listenerRemovals?.length).toBeGreaterThan(0);
+  });
+});

package/skills/octocode-code-engineer/src/collectors/performance.ts ADDED Viewed

@@ -0,0 +1,141 @@
+import * as ts from 'typescript';
+import { blockContainsCall, findParentBlock } from './effects.js';
+import { isFunctionLike } from '../ast/helpers.js';
+import { getLineAndCharacter } from '../common/utils.js';
+import type { CodeLocation, FileEntry, TimerCall } from '../types/index.js';
+const SYNC_IO_METHODS = new Set([
+  'readFileSync',
+  'writeFileSync',
+  'existsSync',
+  'mkdirSync',
+  'readdirSync',
+  'statSync',
+  'lstatSync',
+  'unlinkSync',
+  'rmdirSync',
+  'renameSync',
+  'copyFileSync',
+  'accessSync',
+  'appendFileSync',
+  'chmodSync',
+  'chownSync',
+  'openSync',
+  'closeSync',
+  'execSync',
+  'execFileSync',
+  'spawnSync',
+]);
+export function collectPerformanceData(
+  sourceFile: ts.SourceFile,
+  fileRelative: string,
+  fileEntry: FileEntry
+): void {
+  const awaitInLoopLocations: CodeLocation[] = [];
+  const syncIoCalls: Array<{
+    name: string;
+    lineStart: number;
+    lineEnd: number;
+  }> = [];
+  const timerCalls: TimerCall[] = [];
+  const listenerRegistrations: CodeLocation[] = [];
+  const listenerRemovals: CodeLocation[] = [];
+  const isInsideLoop = (node: ts.Node): boolean => {
+    let current = node.parent;
+    while (current) {
+      if (
+        ts.isForStatement(current) ||
+        ts.isWhileStatement(current) ||
+        ts.isDoStatement(current) ||
+        ts.isForOfStatement(current) ||
+        ts.isForInStatement(current)
+      )
+        return true;
+      if (isFunctionLike(current)) return false;
+      current = current.parent;
+    }
+    return false;
+  };
+  const visit = (node: ts.Node): void => {
+    if (ts.isAwaitExpression(node) && isInsideLoop(node)) {
+      const loc = getLineAndCharacter(sourceFile, node);
+      awaitInLoopLocations.push({
+        file: fileRelative,
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+      });
+    }
+    if (
+      ts.isCallExpression(node) &&
+      ts.isPropertyAccessExpression(node.expression)
+    ) {
+      const methodName = node.expression.name.getText(sourceFile);
+      if (SYNC_IO_METHODS.has(methodName)) {
+        const loc = getLineAndCharacter(sourceFile, node);
+        syncIoCalls.push({
+          name: methodName,
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+        });
+      }
+      if (
+        methodName === 'addEventListener' ||
+        methodName === 'on' ||
+        methodName === 'addListener'
+      ) {
+        const loc = getLineAndCharacter(sourceFile, node);
+        listenerRegistrations.push({
+          file: fileRelative,
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+        });
+      }
+      if (
+        methodName === 'removeEventListener' ||
+        methodName === 'off' ||
+        methodName === 'removeListener'
+      ) {
+        const loc = getLineAndCharacter(sourceFile, node);
+        listenerRemovals.push({
+          file: fileRelative,
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+        });
+      }
+    }
+    if (ts.isCallExpression(node)) {
+      const text = node.expression.getText(sourceFile);
+      if (text === 'setInterval' || text === 'setTimeout') {
+        const loc = getLineAndCharacter(sourceFile, node);
+        const clearName =
+          text === 'setInterval' ? 'clearInterval' : 'clearTimeout';
+        const parentBlock = findParentBlock(node);
+        const hasCleanup = parentBlock
+          ? blockContainsCall(parentBlock, sourceFile, clearName)
+          : false;
+        timerCalls.push({
+          kind: text as 'setInterval' | 'setTimeout',
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+          hasCleanup,
+        });
+      }
+    }
+    ts.forEachChild(node, visit);
+  };
+  ts.forEachChild(sourceFile, visit);
+  fileEntry.awaitInLoopLocations = awaitInLoopLocations;
+  fileEntry.syncIoCalls = syncIoCalls;
+  fileEntry.timerCalls = timerCalls;
+  fileEntry.listenerRegistrations = listenerRegistrations;
+  fileEntry.listenerRemovals = listenerRemovals;
+}

package/skills/octocode-code-engineer/src/collectors/prototype-pollution.test.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import * as ts from 'typescript';
+import { describe, expect, it } from 'vitest';
+import { collectPrototypePollutionSites } from './prototype-pollution.js';
+function parse(code: string, fileName = '/repo/src/test.ts'): ts.SourceFile {
+  return ts.createSourceFile(fileName, code, ts.ScriptTarget.ESNext, true);
+}
+describe('collectPrototypePollutionSites', () => {
+  it('detects Object.assign risk', () => {
+    const sourceFile = parse(`
+      function merge(a: any, b: any) {
+        Object.assign(a, b);
+      }
+    `);
+    const sites = collectPrototypePollutionSites(sourceFile);
+    expect(sites.some(s => s.kind === 'object-assign')).toBe(true);
+  });
+  it('detects deep merge risk', () => {
+    const sourceFile = parse(`
+      function merge(a: any, b: any) {
+        deepMerge(a, b);
+      }
+    `);
+    const sites = collectPrototypePollutionSites(sourceFile);
+    expect(sites.some(s => s.kind === 'deep-merge')).toBe(true);
+  });
+  it('detects dynamic bracket assignment', () => {
+    const sourceFile = parse(`
+      function write(obj: Record<string, unknown>, key: string, val: unknown) {
+        obj[key] = val;
+      }
+    `);
+    const sites = collectPrototypePollutionSites(sourceFile);
+    expect(sites.some(s => s.kind === 'computed-property-write')).toBe(true);
+  });
+  it('marks guarded writes when iterating known internal keys', () => {
+    const sourceFile = parse(`
+      function copy(dst: Record<string, unknown>, src: Record<string, unknown>) {
+        for (const key of Object.keys(src)) {
+          dst[key] = src[key];
+        }
+      }
+    `);
+    const sites = collectPrototypePollutionSites(sourceFile);
+    const guarded = sites.filter(
+      s => s.kind === 'computed-property-write' && s.guarded
+    );
+    expect(guarded.length).toBeGreaterThan(0);
+  });
+});

package/skills/octocode-code-engineer/src/collectors/prototype-pollution.ts ADDED Viewed

@@ -0,0 +1,162 @@
+import * as ts from 'typescript';
+import { findParentBlock } from './effects.js';
+import { isFunctionLike } from '../ast/helpers.js';
+import { getLineAndCharacter } from '../common/utils.js';
+const DEEP_MERGE_NAMES = new Set([
+  'merge',
+  'deepMerge',
+  'deepAssign',
+  'extend',
+  'deepExtend',
+  'defaults',
+  'defaultsDeep',
+  'assign',
+  'mixin',
+]);
+/** Check if a computed-property-write key comes from a for..of/for..in loop over known internal iteration */
+function isKeyFromInternalIteration(
+  node: ts.ElementAccessExpression,
+  sourceFile: ts.SourceFile
+): boolean {
+  const keyExpr = node.argumentExpression;
+  if (!keyExpr || !ts.isIdentifier(keyExpr)) return false;
+  const keyName = keyExpr.getText(sourceFile);
+  let current: ts.Node | undefined = node.parent;
+  while (current) {
+    if (ts.isForOfStatement(current) || ts.isForInStatement(current)) {
+      const init = current.initializer;
+      if (init) {
+        const initText = init.getText(sourceFile);
+        if (initText.includes(keyName)) {
+          const expr = current.expression.getText(sourceFile);
+          if (
+            /Object\.(keys|values|entries|getOwnPropertyNames)\(/.test(expr) ||
+            /\.keys\(\)|\.values\(\)|\.entries\(\)/.test(expr) ||
+            /Array\.from\(/.test(expr)
+          ) {
+            return true;
+          }
+        }
+      }
+    }
+    if (isFunctionLike(current)) break;
+    current = current.parent;
+  }
+  return false;
+}
+/** Check if the containing block has a __proto__/constructor/prototype key guard */
+function hasProtoKeyGuard(node: ts.Node, sourceFile: ts.SourceFile): boolean {
+  const block = findParentBlock(node);
+  if (!block) return false;
+  const blockText = block.getText(sourceFile);
+  return (
+    /__proto__|constructor|prototype/.test(blockText) &&
+    (blockText.includes('===') ||
+      blockText.includes('!==') ||
+      blockText.includes('includes(') ||
+      blockText.includes('hasOwnProperty'))
+  );
+}
+/** Check if the target object was created with Object.create(null) or is Map/Set */
+function isTargetSafeObject(
+  node: ts.ElementAccessExpression,
+  sourceFile: ts.SourceFile
+): boolean {
+  const objText = node.expression.getText(sourceFile);
+  let current: ts.Node | undefined = node.parent;
+  while (current) {
+    if (ts.isBlock(current) || ts.isSourceFile(current)) {
+      const text = current.getText(sourceFile);
+      const createNullPattern = new RegExp(
+        `${objText.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\s*=\\s*Object\\.create\\(null\\)`
+      );
+      const mapSetPattern = new RegExp(
+        `${objText.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}\\s*=\\s*new\\s+(Map|Set)\\b`
+      );
+      if (createNullPattern.test(text) || mapSetPattern.test(text)) return true;
+      break;
+    }
+    current = current.parent;
+  }
+  return false;
+}
+export function collectPrototypePollutionSites(
+  sourceFile: ts.SourceFile
+): Array<{
+  kind: string;
+  detail: string;
+  lineStart: number;
+  lineEnd: number;
+  guarded: boolean;
+}> {
+  const sites: Array<{
+    kind: string;
+    detail: string;
+    lineStart: number;
+    lineEnd: number;
+    guarded: boolean;
+  }> = [];
+  const visit = (node: ts.Node): void => {
+    if (ts.isCallExpression(node)) {
+      const text = node.expression.getText(sourceFile);
+      if (text === 'Object.assign' && node.arguments.length >= 2) {
+        const loc = getLineAndCharacter(sourceFile, node);
+        sites.push({
+          kind: 'object-assign',
+          detail: `Object.assign() merges properties without __proto__ guard`,
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+          guarded: false,
+        });
+      }
+      const calleeName = text.split('.').pop() || '';
+      if (DEEP_MERGE_NAMES.has(calleeName) && node.arguments.length >= 1) {
+        const loc = getLineAndCharacter(sourceFile, node);
+        sites.push({
+          kind: 'deep-merge',
+          detail: `${calleeName}() deep-merges without prototype guard`,
+          lineStart: loc.lineStart,
+          lineEnd: loc.lineEnd,
+          guarded: false,
+        });
+      }
+    }
+    if (
+      ts.isElementAccessExpression(node) &&
+      node.argumentExpression &&
+      !ts.isStringLiteral(node.argumentExpression) &&
+      !ts.isNumericLiteral(node.argumentExpression) &&
+      node.parent &&
+      ts.isBinaryExpression(node.parent) &&
+      node.parent.operatorToken.kind === ts.SyntaxKind.EqualsToken &&
+      node.parent.left === node
+    ) {
+      const guarded =
+        isKeyFromInternalIteration(node, sourceFile) ||
+        hasProtoKeyGuard(node, sourceFile) ||
+        isTargetSafeObject(node, sourceFile);
+      const loc = getLineAndCharacter(sourceFile, node);
+      sites.push({
+        kind: 'computed-property-write',
+        detail: `Dynamic bracket assignment: ${node.getText(sourceFile).slice(0, 40)}`,
+        lineStart: loc.lineStart,
+        lineEnd: loc.lineEnd,
+        guarded,
+      });
+    }
+    ts.forEachChild(node, visit);
+  };
+  ts.forEachChild(sourceFile, visit);
+  return sites;
+}

package/skills/octocode-code-engineer/src/collectors/security.test.ts ADDED Viewed

@@ -0,0 +1,124 @@
+import * as ts from 'typescript';
+import { describe, expect, it } from 'vitest';
+import { collectSecurityData } from './security.js';
+import type { FileEntry } from '../types/index.js';
+function parse(code: string, fileName = '/repo/src/test.ts'): ts.SourceFile {
+  return ts.createSourceFile(fileName, code, ts.ScriptTarget.ESNext, true);
+}
+function emptyFileEntry(): FileEntry {
+  return {
+    package: 'test',
+    file: 'test.ts',
+    parseEngine: 'typescript',
+    nodeCount: 0,
+    kindCounts: {},
+    functions: [],
+    flows: [],
+    dependencyProfile: {
+      internalDependencies: [],
+      externalDependencies: [],
+      unresolvedDependencies: [],
+      declaredExports: [],
+      importedSymbols: [],
+      reExports: [],
+    },
+  };
+}
+describe('collectSecurityData', () => {
+  it('detects eval usage - eval("1") → evalUsages contains entry', () => {
+    const code = `eval("1");`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.evalUsages).toBeDefined();
+    expect(fileEntry.evalUsages).toHaveLength(1);
+    expect(fileEntry.evalUsages![0].file).toBe('test.ts');
+    expect(fileEntry.evalUsages![0].lineStart).toBeGreaterThan(0);
+  });
+  it('detects hardcoded secret pattern - API_KEY = "sk-proj-..." → suspiciousStrings', () => {
+    const code = `const API_KEY = "sk-proj-abc123def456ghi789";`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    expect(fileEntry.suspiciousStrings!.length).toBeGreaterThan(0);
+    const secretEntry = fileEntry.suspiciousStrings!.find(
+      s => s.kind === 'hardcoded-secret'
+    );
+    expect(secretEntry).toBeDefined();
+    expect(secretEntry!.context).toBe('literal');
+  });
+  it('detects SQL injection risk - template literal with SQL keyword and interpolation', () => {
+    const code = 'const q = `SELECT * FROM users WHERE id = ${id}`;';
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    const sqlEntry = fileEntry.suspiciousStrings!.find(
+      s => s.kind === 'sql-injection'
+    );
+    expect(sqlEntry).toBeDefined();
+    expect(sqlEntry!.snippet).toMatch(/SELECT/i);
+  });
+  it('collects regex literal including potentially unsafe patterns', () => {
+    const code = 'const r = /(a+)+/;';
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.regexLiterals).toBeDefined();
+    expect(fileEntry.regexLiterals!.length).toBeGreaterThan(0);
+    expect(fileEntry.regexLiterals![0].pattern).toContain('a');
+  });
+  it('no false positive for regex in definition context - regex with secret keyword gets regex-definition', () => {
+    const code = 'const re = /api_key=""/;';
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    const entry = fileEntry.suspiciousStrings!.find(
+      s => s.context === 'regex-definition'
+    );
+    expect(entry).toBeDefined();
+    expect(entry!.kind).toBe('hardcoded-secret');
+  });
+  it('clean code produces no suspicious strings', () => {
+    const code = `const x = 1; const msg = "hello"; function foo() { return 2; }`;
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    expect(fileEntry.suspiciousStrings!.length).toBe(0);
+    expect(fileEntry.evalUsages).toHaveLength(0);
+  });
+  it('template literal with SQL keyword', () => {
+    const code = 'const sql = `INSERT INTO users (name) VALUES (${name})`;';
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    const sqlEntry = fileEntry.suspiciousStrings!.find(
+      s => s.kind === 'sql-injection'
+    );
+    expect(sqlEntry).toBeDefined();
+  });
+  it('process.env access is not flagged as secret', () => {
+    const code = 'const key = process.env.API_KEY;';
+    const sourceFile = parse(code);
+    const fileEntry = emptyFileEntry();
+    collectSecurityData(sourceFile, 'test.ts', fileEntry);
+    expect(fileEntry.suspiciousStrings).toBeDefined();
+    expect(fileEntry.suspiciousStrings!.length).toBe(0);
+  });
+});