opensecurity 0.2.1 → 0.3.0

package/dist/engines/analysis/patterns.js

@@ -0,0 +1,237 @@
+import traverseImport from "@babel/traverse";
+import * as t from "@babel/types";
+const SECRET_NAME_REGEX = /^(api[-_]?key|secret|token|password|passwd|pwd|private[-_]?key|access[-_]?key|client[-_]?secret)$/i;
+const SECRET_VALUE_MIN_LEN = 16;
+const SECRET_ENTROPY_THRESHOLD = 3.7;
+const SECRET_VALUE_PATTERNS = [
+    { id: "secret-aws-access-key", pattern: /AKIA[0-9A-Z]{16}/, title: "Hardcoded AWS Access Key" },
+    { id: "secret-github", pattern: /gh[pousr]_[A-Za-z0-9]{20,}/, title: "Hardcoded GitHub Token" },
+    { id: "secret-slack", pattern: /xox[baprs]-[A-Za-z0-9-]{10,}/, title: "Hardcoded Slack Token" },
+    { id: "secret-stripe", pattern: /sk_live_[A-Za-z0-9]{16,}/, title: "Hardcoded Stripe Secret Key" },
+    { id: "secret-google-api", pattern: /AIza[0-9A-Za-z\-_]{35}/, title: "Hardcoded Google API Key" },
+    { id: "secret-jwt", pattern: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/, title: "Hardcoded JWT" },
+    { id: "secret-private-key", pattern: /-----BEGIN (RSA|EC|DSA|PRIVATE) KEY-----/, title: "Hardcoded Private Key" }
+];
+const WEAK_HASHES = new Set(["md5", "sha1", "md4"]);
+const WEAK_CIPHERS = ["des", "3des", "rc2", "rc4", "bf", "blowfish", "idea"];
+const INSECURE_RANDOM_CALLS = new Set(["Math.random", "crypto.pseudoRandomBytes", "pseudoRandomBytes"]);
+const DESERIALIZATION_CALLEES = new Set([
+    "unserialize",
+    "deserialize",
+    "serialize.unserialize",
+    "serialize.deserialize",
+    "yaml.load",
+    "YAML.load",
+    "jsyaml.load"
+]);
+export function runPatternDetectors(ast, filePath) {
+    const traverse = normalizeTraverse(traverseImport);
+    const findings = [];
+    const toLoc = (node) => {
+        const loc = node.loc?.start;
+        return {
+            line: loc?.line,
+            column: typeof loc?.column === "number" ? loc.column + 1 : undefined
+        };
+    };
+    const pushFinding = (finding) => {
+        findings.push(finding);
+    };
+    const markSecret = (node, title, description, id = "hardcoded-secret") => {
+        const loc = toLoc(node);
+        pushFinding({
+            id,
+            severity: "high",
+            owasp: "A07:2021 Identification and Authentication Failures",
+            title,
+            description,
+            file: filePath,
+            line: loc.line,
+            column: loc.column
+        });
+    };
+    const markCrypto = (node, title, description, id = "insecure-crypto") => {
+        const loc = toLoc(node);
+        pushFinding({
+            id,
+            severity: "high",
+            owasp: "A02:2021 Cryptographic Failures",
+            title,
+            description,
+            file: filePath,
+            line: loc.line,
+            column: loc.column
+        });
+    };
+    const markDeserialize = (node, title, description, id = "unsafe-deserialization") => {
+        const loc = toLoc(node);
+        pushFinding({
+            id,
+            severity: "high",
+            owasp: "A08:2021 Software and Data Integrity Failures",
+            title,
+            description,
+            file: filePath,
+            line: loc.line,
+            column: loc.column
+        });
+    };
+    const getStringValue = (node) => {
+        if (t.isStringLiteral(node))
+            return node.value;
+        if (t.isTemplateLiteral(node) && node.expressions.length === 0) {
+            return node.quasis.map((q) => q.value.cooked ?? "").join("");
+        }
+        return null;
+    };
+    const isSecretKeyName = (name) => {
+        if (!name)
+            return false;
+        return SECRET_NAME_REGEX.test(name);
+    };
+    const isHighEntropySecret = (value) => {
+        if (value.length < SECRET_VALUE_MIN_LEN)
+            return false;
+        return shannonEntropy(value) >= SECRET_ENTROPY_THRESHOLD;
+    };
+    const matchesSecretValue = (value) => {
+        for (const entry of SECRET_VALUE_PATTERNS) {
+            if (entry.pattern.test(value))
+                return { id: entry.id, title: entry.title };
+        }
+        return null;
+    };
+    traverse(ast, {
+        VariableDeclarator(path) {
+            if (!t.isIdentifier(path.node.id))
+                return;
+            if (!path.node.init)
+                return;
+            const value = getStringValue(path.node.init);
+            if (!value)
+                return;
+            if (value.length < SECRET_VALUE_MIN_LEN)
+                return;
+            const name = path.node.id.name;
+            const matched = matchesSecretValue(value);
+            if (matched) {
+                markSecret(path.node.init, matched.title, `Detected ${matched.title.toLowerCase()} in code.`, matched.id);
+                return;
+            }
+            if (isSecretKeyName(name)) {
+                markSecret(path.node.init, "Hardcoded Secret", `Hardcoded value assigned to '${name}'.`);
+                return;
+            }
+            if (isHighEntropySecret(value)) {
+                markSecret(path.node.init, "Hardcoded Secret", "High-entropy string literal may be a secret.");
+            }
+        },
+        ObjectProperty(path) {
+            if (!t.isExpression(path.node.value))
+                return;
+            const value = getStringValue(path.node.value);
+            if (!value || value.length < SECRET_VALUE_MIN_LEN)
+                return;
+            let keyName = null;
+            if (t.isIdentifier(path.node.key))
+                keyName = path.node.key.name;
+            if (t.isStringLiteral(path.node.key))
+                keyName = path.node.key.value;
+            const matched = matchesSecretValue(value);
+            if (matched) {
+                markSecret(path.node.value, matched.title, `Detected ${matched.title.toLowerCase()} in object literal.`, matched.id);
+                return;
+            }
+            if (isSecretKeyName(keyName)) {
+                markSecret(path.node.value, "Hardcoded Secret", `Hardcoded value for object key '${keyName}'.`);
+                return;
+            }
+            if (isHighEntropySecret(value)) {
+                markSecret(path.node.value, "Hardcoded Secret", "High-entropy string literal may be a secret.");
+            }
+        },
+        CallExpression(path) {
+            const calleeName = getCalleeName(path.node);
+            if (!calleeName)
+                return;
+            if (calleeName === "crypto.createHash" || calleeName === "createHash") {
+                const arg = path.node.arguments[0];
+                if (arg && t.isExpression(arg)) {
+                    const value = getStringValue(arg);
+                    if (value && WEAK_HASHES.has(value.toLowerCase())) {
+                        markCrypto(arg, "Weak Hash Function", `Hash algorithm '${value}' is considered weak.`);
+                    }
+                }
+            }
+            if (INSECURE_RANDOM_CALLS.has(calleeName)) {
+                markCrypto(path.node, "Insecure Randomness", "Math.random or pseudoRandomBytes is not cryptographically secure.");
+            }
+            if (calleeName === "crypto.createCipher" || calleeName === "createCipher") {
+                markCrypto(path.node, "Insecure Cipher API", "crypto.createCipher is deprecated and insecure.");
+            }
+            if (calleeName === "crypto.createDecipher" || calleeName === "createDecipher") {
+                markCrypto(path.node, "Insecure Cipher API", "crypto.createDecipher is deprecated and insecure.");
+            }
+            if (calleeName === "crypto.createCipheriv" ||
+                calleeName === "crypto.createDecipheriv" ||
+                calleeName === "createCipheriv" ||
+                calleeName === "createDecipheriv") {
+                const arg = path.node.arguments[0];
+                if (arg && t.isExpression(arg)) {
+                    const value = getStringValue(arg);
+                    if (value) {
+                        const lower = value.toLowerCase();
+                        const weak = WEAK_CIPHERS.some((alg) => lower.includes(alg)) || lower.includes("-ecb") || lower.endsWith("ecb");
+                        if (weak) {
+                            markCrypto(arg, "Weak Cipher Algorithm", `Cipher algorithm '${value}' is considered weak.`);
+                        }
+                    }
+                }
+            }
+            if (DESERIALIZATION_CALLEES.has(calleeName)) {
+                markDeserialize(path.node, "Unsafe Deserialization", `Call to '${calleeName}' may deserialize untrusted data.`);
+            }
+        }
+    });
+    return findings;
+}
+function getCalleeName(node) {
+    const callee = node.callee;
+    if (t.isIdentifier(callee))
+        return callee.name;
+    if (t.isMemberExpression(callee))
+        return memberExpressionToString(callee);
+    return null;
+}
+function memberExpressionToString(node) {
+    if (node.computed)
+        return null;
+    const object = node.object;
+    const property = node.property;
+    const objectName = t.isIdentifier(object)
+        ? object.name
+        : t.isMemberExpression(object)
+            ? memberExpressionToString(object)
+            : null;
+    if (!objectName)
+        return null;
+    if (!t.isIdentifier(property))
+        return null;
+    return `${objectName}.${property.name}`;
+}
+function normalizeTraverse(value) {
+    return value.default ?? value;
+}
+function shannonEntropy(value) {
+    const counts = new Map();
+    for (const ch of value) {
+        counts.set(ch, (counts.get(ch) ?? 0) + 1);
+    }
+    const len = value.length;
+    let entropy = 0;
+    for (const count of counts.values()) {
+        const p = count / len;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}

package/dist/engines/analysis/rules.js

@@ -0,0 +1,48 @@
+import { runTaintAnalysis } from "./taint.js";
+export const OWASP_TOP_10 = [
+    "A01:2021 Broken Access Control",
+    "A02:2021 Cryptographic Failures",
+    "A03:2021 Injection",
+    "A04:2021 Insecure Design",
+    "A05:2021 Security Misconfiguration",
+    "A06:2021 Vulnerable and Outdated Components",
+    "A07:2021 Identification and Authentication Failures",
+    "A08:2021 Software and Data Integrity Failures",
+    "A09:2021 Security Logging and Monitoring Failures",
+    "A10:2021 Server-Side Request Forgery"
+];
+export function runRuleEngine(ast, filePath, rules) {
+    const findings = [];
+    for (const rule of rules) {
+        const taintFindings = runTaintAnalysis(ast, filePath, {
+            sources: rule.sources,
+            sinks: rule.sinks,
+            sanitizers: rule.sanitizers
+        });
+        for (const finding of taintFindings) {
+            findings.push({
+                ruleId: rule.id,
+                ruleName: rule.name,
+                owasp: rule.owasp,
+                severity: rule.severity,
+                file: filePath,
+                line: finding.line,
+                column: finding.column,
+                message: `${rule.name}: ${finding.message}`
+            });
+        }
+    }
+    return findings;
+}
+export function mapFindingsToOwasp(findings) {
+    const map = new Map();
+    for (const category of OWASP_TOP_10) {
+        map.set(category, []);
+    }
+    for (const finding of findings) {
+        const bucket = map.get(finding.owasp);
+        if (bucket)
+            bucket.push(finding);
+    }
+    return map;
+}

package/dist/engines/analysis/taint.js

@@ -0,0 +1,294 @@
+import traverseImport from "@babel/traverse";
+import * as t from "@babel/types";
+export function runTaintAnalysis(ast, filePath, rules) {
+    const traverse = normalizeTraverse(traverseImport);
+    const findings = [];
+    const taintedVarsStack = [];
+    const sanitizedVarsStack = [];
+    const taintedExpressions = new WeakSet();
+    const sanitizedExpressions = new WeakSet();
+    const pushScope = () => taintedVarsStack.push(new Set());
+    const popScope = () => taintedVarsStack.pop();
+    const pushSanitizedScope = () => sanitizedVarsStack.push(new Set());
+    const popSanitizedScope = () => sanitizedVarsStack.pop();
+    const currentScope = () => taintedVarsStack[taintedVarsStack.length - 1];
+    const currentSanitizedScope = () => sanitizedVarsStack[sanitizedVarsStack.length - 1];
+    const isTainted = (name) => currentScope()?.has(name) ?? false;
+    const taint = (name) => currentScope()?.add(name);
+    const untaint = (name) => currentScope()?.delete(name);
+    const isSanitized = (name) => currentSanitizedScope()?.has(name) ?? false;
+    const sanitize = (name) => currentSanitizedScope()?.add(name);
+    const unsanitize = (name) => currentSanitizedScope()?.delete(name);
+    const matchEndpoint = (node, endpoints) => {
+        const calleeNames = getCalleeNames(node);
+        if (!calleeNames.length)
+            return null;
+        return endpoints.find((endpoint) => matchesAnyCallee(calleeNames, endpoint.matcher));
+    };
+    const isSanitizerCall = (node) => matchEndpoint(node, rules.sanitizers);
+    const isSourceCall = (node) => matchEndpoint(node, rules.sources);
+    const isSinkCall = (node) => matchEndpoint(node, rules.sinks);
+    const valueIsSanitized = (node) => {
+        if (sanitizedExpressions.has(node))
+            return true;
+        if (t.isIdentifier(node))
+            return isSanitized(node.name);
+        if (t.isMemberExpression(node)) {
+            return t.isExpression(node.object) ? valueIsSanitized(node.object) : false;
+        }
+        if (t.isCallExpression(node)) {
+            if (isSanitizerCall(node)) {
+                sanitizedExpressions.add(node);
+                return true;
+            }
+            return false;
+        }
+        if (t.isBinaryExpression(node) || t.isLogicalExpression(node)) {
+            return valueIsSanitized(node.left) || valueIsSanitized(node.right);
+        }
+        if (t.isConditionalExpression(node)) {
+            return (valueIsSanitized(node.test) ||
+                valueIsSanitized(node.consequent) ||
+                valueIsSanitized(node.alternate));
+        }
+        if (t.isTemplateLiteral(node)) {
+            return node.expressions.some((expr) => valueIsSanitized(expr));
+        }
+        if (t.isArrayExpression(node)) {
+            return node.elements.some((el) => (t.isExpression(el) ? valueIsSanitized(el) : false));
+        }
+        if (t.isObjectExpression(node)) {
+            return node.properties.some((prop) => {
+                if (t.isObjectProperty(prop) && t.isExpression(prop.value))
+                    return valueIsSanitized(prop.value);
+                if (t.isSpreadElement(prop) && t.isExpression(prop.argument))
+                    return valueIsSanitized(prop.argument);
+                return false;
+            });
+        }
+        if (t.isUnaryExpression(node)) {
+            return t.isExpression(node.argument) ? valueIsSanitized(node.argument) : false;
+        }
+        if (t.isSequenceExpression(node)) {
+            return node.expressions.some((expr) => valueIsSanitized(expr));
+        }
+        return false;
+    };
+    const valueIsTainted = (node) => {
+        if (valueIsSanitized(node))
+            return false;
+        if (taintedExpressions.has(node))
+            return true;
+        if (t.isIdentifier(node))
+            return isTainted(node.name);
+        if (t.isMemberExpression(node)) {
+            return t.isExpression(node.object) ? valueIsTainted(node.object) : false;
+        }
+        if (t.isCallExpression(node)) {
+            if (isSanitizerCall(node)) {
+                sanitizedExpressions.add(node);
+                return false;
+            }
+            if (isSourceCall(node))
+                return true;
+            return false;
+        }
+        if (t.isBinaryExpression(node) || t.isLogicalExpression(node)) {
+            return valueIsTainted(node.left) || valueIsTainted(node.right);
+        }
+        if (t.isConditionalExpression(node)) {
+            return valueIsTainted(node.test) || valueIsTainted(node.consequent) || valueIsTainted(node.alternate);
+        }
+        if (t.isTemplateLiteral(node)) {
+            return node.expressions.some((expr) => valueIsTainted(expr));
+        }
+        if (t.isArrayExpression(node)) {
+            return node.elements.some((el) => (t.isExpression(el) ? valueIsTainted(el) : false));
+        }
+        if (t.isObjectExpression(node)) {
+            return node.properties.some((prop) => {
+                if (t.isObjectProperty(prop) && t.isExpression(prop.value))
+                    return valueIsTainted(prop.value);
+                if (t.isSpreadElement(prop) && t.isExpression(prop.argument))
+                    return valueIsTainted(prop.argument);
+                return false;
+            });
+        }
+        if (t.isUnaryExpression(node)) {
+            return t.isExpression(node.argument) ? valueIsTainted(node.argument) : false;
+        }
+        if (t.isSequenceExpression(node)) {
+            return node.expressions.some((expr) => valueIsTainted(expr));
+        }
+        return false;
+    };
+    const handleAssignment = (id, value) => {
+        if (t.isCallExpression(value)) {
+            if (isSanitizerCall(value)) {
+                untaint(id.name);
+                sanitize(id.name);
+                sanitizedExpressions.add(value);
+                return;
+            }
+            if (isSourceCall(value)) {
+                taint(id.name);
+                unsanitize(id.name);
+                taintedExpressions.add(value);
+                return;
+            }
+        }
+        if (valueIsSanitized(value)) {
+            untaint(id.name);
+            sanitize(id.name);
+        }
+        else if (valueIsTainted(value)) {
+            taint(id.name);
+            unsanitize(id.name);
+        }
+        else {
+            untaint(id.name);
+            unsanitize(id.name);
+        }
+    };
+    traverse(ast, {
+        Program: {
+            enter() {
+                pushScope();
+                pushSanitizedScope();
+            },
+            exit() {
+                popScope();
+                popSanitizedScope();
+            }
+        },
+        Function: {
+            enter() {
+                pushScope();
+                pushSanitizedScope();
+            },
+            exit() {
+                popScope();
+                popSanitizedScope();
+            }
+        },
+        VariableDeclarator(path) {
+            if (!path.node.init)
+                return;
+            if (!t.isIdentifier(path.node.id))
+                return;
+            handleAssignment(path.node.id, path.node.init);
+        },
+        AssignmentExpression(path) {
+            const left = path.node.left;
+            if (!t.isIdentifier(left))
+                return;
+            handleAssignment(left, path.node.right);
+        },
+        CallExpression(path) {
+            const sink = isSinkCall(path.node);
+            if (!sink)
+                return;
+            const args = path.node.arguments;
+            const hasTaintedArg = args.some((arg) => Boolean(t.isExpression(arg) && valueIsTainted(arg)));
+            if (!hasTaintedArg)
+                return;
+            const loc = path.node.loc?.start;
+            findings.push({
+                sourceId: "tainted",
+                sinkId: sink.id,
+                file: filePath,
+                line: loc?.line,
+                column: typeof loc?.column === "number" ? loc.column + 1 : undefined,
+                message: `Tainted data reaches sink ${sink.name}`
+            });
+        }
+    });
+    return findings;
+}
+function getCalleeNames(node) {
+    const callee = node.callee;
+    if (t.isIdentifier(callee))
+        return [callee.name];
+    if (t.isMemberExpression(callee) || t.isOptionalMemberExpression(callee)) {
+        return memberExpressionToNames(callee);
+    }
+    return [];
+}
+function memberExpressionToNames(node) {
+    const chain = extractMemberChain(node);
+    if (!chain.length)
+        return [];
+    const variants = new Set();
+    for (let i = 0; i < chain.length; i += 1) {
+        variants.add(chain.slice(i).join("."));
+    }
+    return Array.from(variants);
+}
+function extractMemberChain(node) {
+    if (node.computed) {
+        if (t.isStringLiteral(node.property)) {
+            const objectNames = extractMemberObjectNames(node.object);
+            return objectNames.length ? [...objectNames, node.property.value] : [];
+        }
+        return [];
+    }
+    const objectNames = extractMemberObjectNames(node.object);
+    if (!t.isIdentifier(node.property))
+        return [];
+    return objectNames.length ? [...objectNames, node.property.name] : [];
+}
+function extractMemberObjectNames(object) {
+    if (t.isIdentifier(object))
+        return [object.name];
+    if (t.isThisExpression(object))
+        return ["this"];
+    if (t.isMemberExpression(object) || t.isOptionalMemberExpression(object))
+        return extractMemberChain(object);
+    return [];
+}
+function matchesAnyCallee(calleeNames, matcher) {
+    for (const calleeName of calleeNames) {
+        if (matchesCallee(calleeName, matcher))
+            return true;
+    }
+    return false;
+}
+function matchesCallee(calleeName, matcher) {
+    if (matcher.callee) {
+        const match = matcher.callee;
+        if (Array.isArray(match) && match.includes(calleeName))
+            return true;
+        if (match === calleeName)
+            return true;
+    }
+    if (matcher.calleePrefix) {
+        const match = matcher.calleePrefix;
+        if (Array.isArray(match) && match.some((prefix) => calleeName.startsWith(prefix)))
+            return true;
+        if (typeof match === "string" && calleeName.startsWith(match))
+            return true;
+    }
+    if (matcher.calleePattern) {
+        const match = matcher.calleePattern;
+        if (Array.isArray(match) && match.some((pattern) => matchGlob(calleeName, pattern)))
+            return true;
+        if (typeof match === "string" && matchGlob(calleeName, match))
+            return true;
+    }
+    return false;
+}
+function matchGlob(value, pattern) {
+    if (pattern === value)
+        return true;
+    try {
+        const picomatch = require("picomatch");
+        const isMatch = picomatch(pattern, { nocase: false, dot: true });
+        return isMatch(value);
+    }
+    catch {
+        return false;
+    }
+}
+function normalizeTraverse(value) {
+    return value.default ?? value;
+}

package/dist/engines/analysis/universalPatterns.js

@@ -0,0 +1,56 @@
+const PATTERNS = [
+    {
+        id: "exec-os-system",
+        title: "Command Execution",
+        description: "Potential command execution via system call.",
+        severity: "critical",
+        owasp: "A03:2021 Injection",
+        pattern: /\b(os\.system|subprocess\.(call|run|Popen)|Runtime\.getRuntime\(\)\.exec|ProcessBuilder|exec\.Command|system\s*\(|popen\s*\(|Process\.Start|ShellExecute)\b/gi
+    },
+    {
+        id: "eval-exec",
+        title: "Dynamic Code Execution",
+        description: "Potential dynamic code execution detected.",
+        severity: "high",
+        owasp: "A03:2021 Injection",
+        pattern: /\b(eval|exec|Function|vm\.runInThisContext|loadstring)\s*\(/gi
+    },
+    {
+        id: "unsafe-deserialization",
+        title: "Unsafe Deserialization",
+        description: "Potential unsafe deserialization API usage.",
+        severity: "high",
+        owasp: "A08:2021 Software and Data Integrity Failures",
+        pattern: /\b(pickle\.loads?|yaml\.load|YAML\.load|ObjectInputStream|BinaryFormatter|XmlSerializer|Marshal\.load|PHP\s*unserialize|unserialize\s*\()\b/gi
+    },
+    {
+        id: "weak-crypto",
+        title: "Weak Crypto",
+        description: "Use of weak or deprecated crypto primitives.",
+        severity: "medium",
+        owasp: "A02:2021 Cryptographic Failures",
+        pattern: /\b(MD5|SHA1|RC4|DES|3DES|ECB)\b/gi
+    }
+];
+export function runUniversalPatterns(code, filePath) {
+    const findings = [];
+    const lines = code.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i += 1) {
+        const line = lines[i];
+        for (const rule of PATTERNS) {
+            if (rule.pattern.test(line)) {
+                findings.push({
+                    id: rule.id,
+                    severity: rule.severity,
+                    owasp: rule.owasp,
+                    title: rule.title,
+                    description: rule.description,
+                    file: filePath,
+                    line: i + 1
+                });
+            }
+            rule.pattern.lastIndex = 0;
+        }
+    }
+    return findings;
+}