payload-doctor 0.5.4

package/dist/checks/config.js

@@ -0,0 +1,444 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.configChecks = void 0;
+const ts_morph_1 = require("ts-morph");
+const util_1 = require("../util");
+const CONNECTION_STRING = /(mongodb(\+srv)?|postgres(ql)?|mysql|redis):\/\/[^/\s:]+:[^@/\s]+@/;
+const KEY_PREFIX = /^(sk-[a-z]|sk_live_|sk_test_|rk_live_|AKIA[0-9A-Z]{16}|ghp_|xox[bp]-|AIza)/;
+/** Hardcoded secrets / credentials in source instead of env vars. */
+const hardcodedSecret = {
+    id: 'hardcoded-secret',
+    category: 'security',
+    describe: 'Secret, key or credential hardcoded as a string literal',
+    run(file, ctx) {
+        const findings = [];
+        // In trusted system code (seed/migrations/scripts) a literal is usually a
+        // dev/seed default, not a leaked production secret -> info, don't tank the score.
+        const sev = (0, util_1.isSystemPath)(file.getFilePath()) ? 'info' : 'error';
+        // secret: '...'  (e.g. PAYLOAD_SECRET) assigned a literal, not process.env
+        for (const pa of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.PropertyAssignment)) {
+            const name = pa.getName().replace(/['"`]/g, '').toLowerCase();
+            if (!/^(secret|payload_secret|apikey|api_key|password|privatekey)$/.test(name))
+                continue;
+            const init = pa.getInitializer();
+            if (!init || !ts_morph_1.Node.isStringLiteral(init))
+                continue;
+            const val = init.getLiteralValue();
+            if (val.length < 6)
+                continue;
+            findings.push((0, util_1.makeFinding)(pa, ctx, 'hardcoded-secret', 'security', sev, `"${name}" is assigned a hardcoded literal instead of an environment variable`, 'Read it from process.env and fail closed when it is missing.'));
+        }
+        // connection strings with embedded credentials, and known key prefixes
+        for (const lit of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.StringLiteral)) {
+            const val = lit.getLiteralValue();
+            if (CONNECTION_STRING.test(val)) {
+                findings.push((0, util_1.makeFinding)(lit, ctx, 'hardcoded-secret', 'security', sev, 'Connection string with embedded credentials found in source', 'Move it to an environment variable.'));
+            }
+            else if (KEY_PREFIX.test(val)) {
+                findings.push((0, util_1.makeFinding)(lit, ctx, 'hardcoded-secret', 'security', sev, 'Value looks like a live API key committed to source', 'Rotate the key and load it from the environment.'));
+            }
+        }
+        return findings;
+    },
+};
+/** Wide-open CORS (`'*'`) accepts requests from any origin. */
+const wideOpenCors = {
+    id: 'wide-open-cors',
+    category: 'config',
+    describe: "CORS configured as '*' (any origin)",
+    run(file, ctx) {
+        const findings = [];
+        for (const pa of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.PropertyAssignment)) {
+            if (pa.getName().replace(/['"`]/g, '') !== 'cors')
+                continue;
+            const init = pa.getInitializer();
+            if (!init)
+                continue;
+            const text = init.getText().replace(/\s+/g, '');
+            if (text === "'*'" || text === '"*"' || text === "['*']" || text === '["*"]') {
+                findings.push((0, util_1.makeFinding)(pa, ctx, 'wide-open-cors', 'config', 'warning', 'CORS allows any origin (*)', 'List the exact origins you trust instead of "*".'));
+            }
+        }
+        return findings;
+    },
+};
+const SENSITIVE_WORDS = new Set([
+    'token',
+    'hash',
+    'secret',
+    'apikey',
+    'apisecret',
+    'resetkey',
+    'accesskey',
+]);
+/**
+ * Token/hash/secret fields are exposed through the REST/GraphQL API unless
+ * field-level read access denies it. admin.hidden only hides the admin UI.
+ */
+const tokenFieldReadable = {
+    id: 'token-field-readable',
+    category: 'privacy',
+    describe: 'Sensitive field readable via API (no field-level read:false)',
+    run(file, ctx) {
+        const findings = [];
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            if (!(0, util_1.isCollectionConfig)(obj))
+                continue;
+            const slug = (0, util_1.unquote)((0, util_1.propText)(obj, 'slug')) ?? 'unknown';
+            for (const f of (0, util_1.getFieldObjects)(obj)) {
+                const name = (0, util_1.unquote)((0, util_1.propText)(f, 'name'));
+                if (!name || !(0, util_1.hasSegment)(name, SENSITIVE_WORDS))
+                    continue;
+                const accessInit = (0, util_1.propInit)(f, 'access');
+                const guarded = accessInit &&
+                    ts_morph_1.Node.isObjectLiteralExpression(accessInit) &&
+                    (0, util_1.hasProp)(accessInit, 'read');
+                if (guarded)
+                    continue;
+                findings.push((0, util_1.makeFinding)(f, ctx, 'token-field-readable', 'privacy', 'warning', `Sensitive field "${name}" on "${slug}" can be read through the API`, 'Add field access: { read: () => false }. admin.hidden only hides the UI, not the API.'));
+            }
+        }
+        return findings;
+    },
+};
+/**
+ * A collection/global config without a slug. Payload requires a unique slug per
+ * collection (it drives the DB collection and admin/API routes). We only flag
+ * high-confidence configs — inline elements of a `collections:`/`globals:` array,
+ * or objects explicitly typed `CollectionConfig`/`GlobalConfig` — so nested field
+ * groups and tabs (which also carry `fields` but no slug) are never mistaken.
+ */
+const collectionMissingSlug = {
+    id: 'collection-missing-slug',
+    category: 'config',
+    describe: 'Collection/global config without a slug',
+    run(file, ctx) {
+        const findings = [];
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            if (!(0, util_1.hasProp)(obj, 'fields') || (0, util_1.hasProp)(obj, 'slug'))
+                continue;
+            if ((0, util_1.hasProp)(obj, 'type') || (0, util_1.hasProp)(obj, 'name'))
+                continue; // it's a field, not a config
+            if ((0, util_1.hasSpread)(obj))
+                continue; // a spread may supply the slug
+            const arrProp = (0, util_1.enclosingArrayProp)(obj);
+            const inConfigArray = arrProp === 'collections' || arrProp === 'globals';
+            const typed = /CollectionConfig|GlobalConfig/.test((0, util_1.directTypeHint)(obj));
+            if (!inConfigArray && !typed)
+                continue;
+            findings.push((0, util_1.makeFinding)(obj, ctx, 'collection-missing-slug', 'config', 'error', 'Collection/global config has no slug — Payload requires a unique slug', 'Add a slug, e.g. slug: "posts".'));
+        }
+        return findings;
+    },
+};
+// Hooks whose return value is consumed by Payload (the transformed data/doc).
+const TRANSFORMING_HOOKS = new Set([
+    'beforeChange',
+    'beforeValidate',
+    'beforeRead',
+    'afterRead',
+    'beforeDuplicate',
+]);
+/** Does a function node return a value at its own scope (not a nested callback)? */
+function functionReturnsValue(fn) {
+    if (ts_morph_1.Node.isArrowFunction(fn)) {
+        const body = fn.getBody();
+        if (body && !ts_morph_1.Node.isBlock(body))
+            return true; // implicit expression-body return
+    }
+    const body = fn.getBody?.();
+    if (!body || !ts_morph_1.Node.isBlock(body))
+        return false;
+    let found = false;
+    body.forEachDescendant((node, traversal) => {
+        if (ts_morph_1.Node.isFunctionDeclaration(node) ||
+            ts_morph_1.Node.isFunctionExpression(node) ||
+            ts_morph_1.Node.isArrowFunction(node) ||
+            ts_morph_1.Node.isMethodDeclaration(node)) {
+            traversal.skip();
+            return;
+        }
+        if (ts_morph_1.Node.isReturnStatement(node) && node.getExpression()) {
+            found = true;
+            traversal.stop();
+        }
+    });
+    return found;
+}
+/**
+ * A transforming hook (beforeChange/beforeValidate/afterRead…) that never returns
+ * a value silently drops the change — Payload uses the return value as the new
+ * data/doc. Side-effect-only hooks (afterChange, afterDelete…) are not flagged.
+ */
+const hookMissingReturn = {
+    id: 'hook-missing-return',
+    category: 'correctness',
+    describe: 'Transforming hook (beforeChange/afterRead…) returns nothing',
+    run(file, ctx) {
+        const findings = [];
+        for (const pa of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.PropertyAssignment)) {
+            const name = pa.getName().replace(/['"`]/g, '');
+            if (!TRANSFORMING_HOOKS.has(name))
+                continue;
+            const init = pa.getInitializer();
+            if (!init || !ts_morph_1.Node.isArrayLiteralExpression(init))
+                continue;
+            for (const el of init.getElements()) {
+                if (!ts_morph_1.Node.isArrowFunction(el) && !ts_morph_1.Node.isFunctionExpression(el))
+                    continue;
+                if (functionReturnsValue(el))
+                    continue;
+                findings.push((0, util_1.makeFinding)(el, ctx, 'hook-missing-return', 'correctness', 'warning', `${name} hook returns nothing — Payload uses the return value, so the change is discarded`, 'Return data (before* hooks) or doc (afterRead) at the end of the hook.'));
+            }
+        }
+        return findings;
+    },
+};
+/**
+ * admin.hidden only hides a field in the Admin UI — it is still returned by the
+ * REST/GraphQL API. Without field-level read access that is a false sense of
+ * security. We flag fields with admin.hidden:true and no field `access`.
+ */
+const adminHiddenNotAccess = {
+    id: 'admin-hidden-not-access',
+    category: 'security',
+    describe: 'Field hidden in admin UI but still readable via API (no field access)',
+    run(file, ctx) {
+        const findings = [];
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            if (!(0, util_1.hasProp)(obj, 'name') || !(0, util_1.hasProp)(obj, 'type'))
+                continue; // must be a field
+            if ((0, util_1.hasProp)(obj, 'access'))
+                continue; // dev set field access -> assume intentional
+            const adminInit = (0, util_1.propInit)(obj, 'admin');
+            if (!adminInit || !ts_morph_1.Node.isObjectLiteralExpression(adminInit))
+                continue;
+            if ((0, util_1.propText)(adminInit, 'hidden') !== 'true')
+                continue;
+            const name = (0, util_1.unquote)((0, util_1.propText)(obj, 'name')) ?? 'field';
+            findings.push((0, util_1.makeFinding)(obj, ctx, 'admin-hidden-not-access', 'security', 'warning', `Field "${name}" uses admin.hidden but has no field access — it is still returned by the API`, 'admin.hidden hides only the Admin UI. Add access: { read: () => false } (or top-level hidden: true) to keep it out of API responses.'));
+        }
+        return findings;
+    },
+};
+const RELATION_TYPES = new Set(['relationship', 'upload']);
+/** relationship/upload field without relationTo — Payload cannot resolve the relation. */
+const relationshipMissingRelationTo = {
+    id: 'relationship-missing-relationTo',
+    category: 'correctness',
+    describe: 'relationship/upload field without relationTo',
+    run(file, ctx) {
+        const findings = [];
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            const type = (0, util_1.unquote)((0, util_1.propText)(obj, 'type'));
+            if (!type || !RELATION_TYPES.has(type))
+                continue;
+            if ((0, util_1.hasProp)(obj, 'relationTo') || (0, util_1.hasSpread)(obj))
+                continue;
+            const name = (0, util_1.unquote)((0, util_1.propText)(obj, 'name')) ?? 'field';
+            findings.push((0, util_1.makeFinding)(obj, ctx, 'relationship-missing-relationTo', 'correctness', 'error', `${type} field "${name}" has no relationTo — Payload cannot resolve the relation`, 'Add relationTo: "collection-slug" (or an array of slugs for polymorphic relations).'));
+        }
+        return findings;
+    },
+};
+const OPTION_TYPES = new Set(['select', 'radio']);
+/** select/radio field without options — required by Payload. */
+const selectWithoutOptions = {
+    id: 'select-without-options',
+    category: 'correctness',
+    describe: 'select/radio field without options',
+    run(file, ctx) {
+        const findings = [];
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            const type = (0, util_1.unquote)((0, util_1.propText)(obj, 'type'));
+            if (!type || !OPTION_TYPES.has(type))
+                continue;
+            if ((0, util_1.hasProp)(obj, 'options') || (0, util_1.hasSpread)(obj))
+                continue;
+            const name = (0, util_1.unquote)((0, util_1.propText)(obj, 'name')) ?? 'field';
+            findings.push((0, util_1.makeFinding)(obj, ctx, 'select-without-options', 'correctness', 'error', `${type} field "${name}" has no options`, 'Add options: [{ label, value }, …].'));
+        }
+        return findings;
+    },
+};
+/**
+ * Two fields with the same name in the same fields array collide. We check each
+ * literal `fields:` array independently (its own namespace), so nested groups
+ * are handled correctly and there are no cross-namespace false positives.
+ */
+const duplicateFieldName = {
+    id: 'duplicate-field-name',
+    category: 'correctness',
+    describe: 'Duplicate field name within the same fields array',
+    run(file, ctx) {
+        const findings = [];
+        for (const pa of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.PropertyAssignment)) {
+            if (pa.getName().replace(/['"`]/g, '') !== 'fields')
+                continue;
+            const init = pa.getInitializer();
+            if (!init || !ts_morph_1.Node.isArrayLiteralExpression(init))
+                continue;
+            const seen = new Set();
+            for (const el of init.getElements()) {
+                if (!ts_morph_1.Node.isObjectLiteralExpression(el))
+                    continue;
+                const name = (0, util_1.unquote)((0, util_1.propText)(el, 'name'));
+                if (!name)
+                    continue;
+                if (seen.has(name)) {
+                    findings.push((0, util_1.makeFinding)(el, ctx, 'duplicate-field-name', 'correctness', 'error', `Duplicate field name "${name}" in the same fields array — the fields collide`, 'Field names must be unique within their level; rename one.'));
+                }
+                seen.add(name);
+            }
+        }
+        return findings;
+    },
+};
+// Field names Payload reserves / auto-manages; redefining them collides.
+const RESERVED_FIELD_NAMES = new Set(['id', '_id', 'createdAt', 'updatedAt', '_status', 'blockType', 'blockName']);
+// Payload's internal collection slugs.
+const RESERVED_SLUGS = new Set([
+    'payload-preferences',
+    'payload-migrations',
+    'payload-locked-documents',
+    'payload-jobs',
+]);
+// Field names that are very commonly used as query filters.
+const FILTER_FIELD_NAMES = new Set(['email', 'slug', 'username', 'externalid', 'sku']);
+/**
+ * Weak auth config: lockout disabled (`maxLoginAttempts: 0`) or a very long
+ * `tokenExpiration`. Payload's defaults are safe, so we only flag explicit
+ * weakenings — not a missing option (the default still applies).
+ */
+const authWeakConfig = {
+    id: 'auth-weak-config',
+    category: 'security',
+    describe: 'Auth config weakens brute-force lockout or uses a very long token lifetime',
+    run(file, ctx) {
+        const findings = [];
+        for (const pa of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.PropertyAssignment)) {
+            if (pa.getName().replace(/['"`]/g, '') !== 'auth')
+                continue;
+            const auth = pa.getInitializer();
+            if (!auth || !ts_morph_1.Node.isObjectLiteralExpression(auth))
+                continue;
+            const maxAttempts = (0, util_1.propText)(auth, 'maxLoginAttempts');
+            if (maxAttempts === '0') {
+                findings.push((0, util_1.makeFinding)(auth, ctx, 'auth-weak-config', 'security', 'warning', 'maxLoginAttempts: 0 disables brute-force lockout entirely', 'Use a small positive number (Payload defaults to 5) to lock accounts after failed logins.'));
+            }
+            const exp = (0, util_1.propText)(auth, 'tokenExpiration');
+            if (exp && /^\d+$/.test(exp) && Number(exp) > 2592000) {
+                findings.push((0, util_1.makeFinding)(auth, ctx, 'auth-weak-config', 'security', 'warning', `tokenExpiration is ${exp}s (> 30 days) — a long-lived token widens the window if it leaks`, 'Prefer a short tokenExpiration and refresh, unless this collection truly needs long sessions.'));
+            }
+        }
+        return findings;
+    },
+};
+/**
+ * Field name or collection slug that collides with Payload-reserved identifiers
+ * or is illegal in MongoDB (contains "." or starts with "$"). Generic SQL keywords
+ * are intentionally NOT flagged — the SQL adapter quotes identifiers, so they work.
+ */
+const reservedFieldName = {
+    id: 'reserved-field-name',
+    category: 'config',
+    describe: 'Field name / slug collides with a Payload-reserved or Mongo-illegal identifier',
+    run(file, ctx) {
+        const findings = [];
+        // Reserved names (id/createdAt/…) only collide at the collection document top
+        // level. Inside array/blocks rows `id` is normal, and group/tab fields are
+        // namespaced — so skip the reserved-name check there (Mongo-illegal still applies).
+        const inSubFieldScope = (obj) => {
+            let cur = obj.getParent();
+            while (cur) {
+                if (ts_morph_1.Node.isObjectLiteralExpression(cur)) {
+                    const t = (0, util_1.propText)(cur, 'type')?.replace(/['"`]/g, '');
+                    if (t === 'array' || t === 'blocks' || t === 'group')
+                        return true;
+                }
+                cur = cur.getParent();
+            }
+            return false;
+        };
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            // field name — only objects that are actually fields in a `fields: [...]`
+            // array. This excludes query/select/alias objects elsewhere (e.g. a
+            // `{ name: 'm.name' }` projection in a raw query) that merely look field-ish.
+            if ((0, util_1.hasProp)(obj, 'name') && (0, util_1.hasProp)(obj, 'type') && (0, util_1.enclosingArrayProp)(obj) === 'fields') {
+                const name = (0, util_1.unquote)((0, util_1.propText)(obj, 'name'));
+                if (name) {
+                    const illegal = name.includes('.') || name.startsWith('$');
+                    const reserved = RESERVED_FIELD_NAMES.has(name) && !inSubFieldScope(obj);
+                    if (reserved || illegal) {
+                        findings.push((0, util_1.makeFinding)(obj, ctx, 'reserved-field-name', 'config', 'warning', `Field name "${name}" is reserved by Payload or illegal in MongoDB`, 'Rename the field (Payload manages id/_id/createdAt/updatedAt/_status itself; "." and "$" are invalid in Mongo keys).', `// rename "${name}" — Payload manages id/_id/createdAt/updatedAt/_status itself,\n// and "."/"$" are invalid in MongoDB keys`));
+                    }
+                }
+            }
+            // collection slug
+            if ((0, util_1.isCollectionConfig)(obj)) {
+                const slug = (0, util_1.unquote)((0, util_1.propText)(obj, 'slug'));
+                if (slug && RESERVED_SLUGS.has(slug)) {
+                    findings.push((0, util_1.makeFinding)(obj, ctx, 'reserved-field-name', 'config', 'warning', `Collection slug "${slug}" collides with a Payload-internal collection`, 'Choose a different slug; payload-* slugs are reserved for Payload internals.'));
+                }
+            }
+        }
+        return findings;
+    },
+};
+/** maxDepth/defaultDepth set very high can make populated queries blow up. */
+const excessiveMaxDepth = {
+    id: 'excessive-max-depth',
+    category: 'config',
+    describe: 'maxDepth / defaultDepth set above 10',
+    run(file, ctx) {
+        const findings = [];
+        for (const pa of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.PropertyAssignment)) {
+            const name = pa.getName().replace(/['"`]/g, '');
+            if (name !== 'maxDepth' && name !== 'defaultDepth')
+                continue;
+            const init = pa.getInitializer();
+            if (!init || !ts_morph_1.Node.isNumericLiteral(init))
+                continue;
+            const val = Number(init.getText());
+            if (val > 10) {
+                findings.push((0, util_1.makeFinding)(pa, ctx, 'excessive-max-depth', 'config', 'warning', `${name} is ${val} — deep relationship population can balloon query cost and response size`, 'Keep depth small (often 1–2) and request more only where needed.'));
+            }
+        }
+        return findings;
+    },
+};
+/** Commonly-filtered fields without an index pay a scan cost on every lookup. */
+const missingIndexOnFilterField = {
+    id: 'missing-index-on-filter-field',
+    category: 'config',
+    describe: 'Commonly-filtered field (email/slug/…) without index: true',
+    run(file, ctx) {
+        const findings = [];
+        for (const obj of file.getDescendantsOfKind(ts_morph_1.SyntaxKind.ObjectLiteralExpression)) {
+            if (!(0, util_1.hasProp)(obj, 'name') || !(0, util_1.hasProp)(obj, 'type'))
+                continue;
+            const name = (0, util_1.unquote)((0, util_1.propText)(obj, 'name'));
+            if (!name || !FILTER_FIELD_NAMES.has(name.toLowerCase()))
+                continue;
+            if ((0, util_1.propText)(obj, 'index') === 'true' || (0, util_1.propText)(obj, 'unique') === 'true')
+                continue;
+            findings.push((0, util_1.makeFinding)(obj, ctx, 'missing-index-on-filter-field', 'config', 'info', `Field "${name}" is commonly filtered but has no index — add index: true if you query by it`, 'Set index: true (or unique: true) to avoid full collection scans.'));
+        }
+        return findings;
+    },
+};
+exports.configChecks = [
+    hardcodedSecret,
+    wideOpenCors,
+    tokenFieldReadable,
+    collectionMissingSlug,
+    hookMissingReturn,
+    adminHiddenNotAccess,
+    relationshipMissingRelationTo,
+    selectWithoutOptions,
+    duplicateFieldName,
+    authWeakConfig,
+    reservedFieldName,
+    excessiveMaxDepth,
+    missingIndexOnFilterField,
+];

package/dist/checks/index.js

@@ -0,0 +1,15 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ALL_CHECKS = void 0;
+const access_1 = require("./access");
+const routes_1 = require("./routes");
+const config_1 = require("./config");
+const rendering_1 = require("./rendering");
+const quality_1 = require("./quality");
+exports.ALL_CHECKS = [
+    ...access_1.accessChecks,
+    ...routes_1.routeChecks,
+    ...config_1.configChecks,
+    ...rendering_1.renderingChecks,
+    ...quality_1.qualityChecks,
+];