pinata-security-cli 0.5.3 → 0.6.1

package/src/categories/definitions/security/deserialization.yml

@@ -84,6 +84,18 @@ detectionPatterns:
     pattern: "serialize-javascript|js-yaml\\.load\\("
     confidence: medium
     description: Detects serialization libraries that may allow code execution
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
+      - "yaml\\.load\\(.*schema:\\s*yaml\\.JSON_SCHEMA"
 
   - id: ts-eval-json
     type: regex
@@ -91,6 +103,16 @@ detectionPatterns:
     pattern: "eval\\s*\\(.*JSON|Function\\s*\\([\"']return[\"']\\s*\\+"
     confidence: high
     description: Detects eval-based JSON parsing which allows code execution
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
 
   - id: ts-node-serialize
     type: regex
@@ -98,6 +120,16 @@ detectionPatterns:
     pattern: "node-serialize|serialize-to-js"
     confidence: high
     description: Detects node-serialize which is vulnerable to RCE
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
 
   - id: ts-vm-runinnewcontext
     type: regex
@@ -105,6 +137,18 @@ detectionPatterns:
     pattern: "vm\\.runInNewContext\\s*\\(|vm\\.runInThisContext\\s*\\("
     confidence: high
     description: Detects Node.js vm module with potential untrusted code
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
+      - "vm2|isolated-vm"
 
   - id: ts-unserialize
     type: regex

package/src/categories/definitions/security/file-upload.yml

@@ -46,6 +46,16 @@ detectionPatterns:
     pattern: "multer\\s*\\(\\s*\\{(?!.*fileFilter)"
     confidence: high
     description: Multer configured without fileFilter - accepts any file type
+    sources:
+      - "req\\.file"
+      - "req\\.files"
+      - "req\\.(body|params|query)"
+    sanitizers:
+      - "fileFilter"
+      - "mimetype"
+      - "file\\.mimetype"
+      - "path\\.extname\\("
+      - "path\\.basename\\("
 
   - id: multer-no-limits
     type: regex
@@ -122,6 +132,16 @@ detectionPatterns:
     description: |
       [REVIEW] File processed without extension validation.
       Verify allowed file types are checked.
+    sources:
+      - "req\\.file"
+      - "req\\.files"
+    sanitizers:
+      - "path\\.extname\\("
+      - "\\.endsWith\\("
+      - "\\.match\\("
+      - "fileFilter"
+      - "allowedExtensions"
+      - "path\\.basename\\("
 
   - id: no-mimetype-check
     type: regex
@@ -131,6 +151,16 @@ detectionPatterns:
     description: |
       [REVIEW] File processed without MIME type check.
       Content-type can be spoofed, combine with magic number check.
+    sources:
+      - "req\\.file"
+      - "req\\.files"
+    sanitizers:
+      - "mimetype"
+      - "content-type"
+      - "file-type"
+      - "magic-bytes"
+      - "fileFilter"
+      - "path\\.basename\\("
 
   # Path traversal in filename
   - id: path-traversal-filename
@@ -141,6 +171,15 @@ detectionPatterns:
     description: |
       Filename from request used in path.join without sanitization.
       Path traversal attack possible (../../etc/passwd).
+    sources:
+      - "req\\.file\\.originalname"
+      - "req\\.file\\.filename"
+      - "req\\.(body|params|query)"
+    sanitizers:
+      - "path\\.basename\\("
+      - "sanitizeFilename\\("
+      - "secure_filename\\("
+      - "\\.\\..*reject|\\.\\..*throw"
 
 testTemplates:
   - id: pytest-file-upload

package/src/categories/definitions/security/ldap-injection.yml

@@ -77,6 +77,14 @@ detectionPatterns:
     pattern: "ldap.*client\\.search\\(.*\\+|ldapClient\\.search.*`.*\\$\\{"
     confidence: high
     description: Detects ldapjs search with string interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "ldap\\.escape\\("
+      - "escapeLdap\\("
+      - "sanitizeFilter\\("
 
   - id: ts-ldap-filter-template
     type: regex
@@ -84,6 +92,12 @@ detectionPatterns:
     pattern: "ldap.*filter.*=.*`.*\\$\\{|ldapFilter.*\\$\\{"
     confidence: high
     description: Detects LDAP filter with template literal interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "ldap\\.escape\\("
+      - "escapeLdap\\("
 
   - id: ts-activedirectory
     type: regex
@@ -91,6 +105,12 @@ detectionPatterns:
     pattern: "activedirectory.*find.*\\+|ad\\.find.*`.*\\$\\{"
     confidence: medium
     description: Detects ActiveDirectory library with user input
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "ldap\\.escape\\("
+      - "escapeLdap\\("
 
   - id: ts-ldap-escape-missing
     type: regex
@@ -99,6 +119,9 @@ detectionPatterns:
     confidence: medium
     description: Detects LDAP search operations
     negativePattern: "ldap\\.escape|escape.*filter|sanitize"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
 
 testTemplates:
   - id: pytest-ldap-injection

package/src/categories/definitions/security/path-traversal.yml

@@ -80,12 +80,25 @@ detectionPatterns:
     pattern: "fs\\.(readFile|readFileSync|createReadStream)\\s*\\(.*\\+|fs\\.(readFile|readFileSync)\\s*\\(`.*\\$\\{"
     confidence: high
     description: Detects fs.readFile with string concatenation or template literal
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "path\\.resolve\\(.*path\\.normalize"
+      - "\\.startsWith\\("
+      - "path\\.relative\\(.*\\.startsWith"
+      - "\\brealpath"
 
   - id: ts-path-join-req
     type: regex
     language: typescript
     pattern: "path\\.join\\s*\\(.*req\\.(params|query|body)"
     confidence: medium
+    sanitizers:
+      - "\\.startsWith\\("
+      - "path\\.relative\\(.*\\.startsWith"
+      - "\\brealpath"
     description: Detects path.join with request parameters
     negativePattern: "path\\.resolve.*includes\\(|\\.\\.\\/'"
 

package/src/categories/definitions/security/prompt-injection.yml

@@ -44,6 +44,14 @@ detectionPatterns:
     description: |
       CRITICAL: User input concatenated into AI prompt.
       Attacker can inject instructions to manipulate AI behavior.
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "sanitizePrompt\\("
+      - "stripInstructions\\("
+      - "encodeForPrompt\\("
 
   - id: prompt-user-input-template
     type: regex
@@ -53,6 +61,12 @@ detectionPatterns:
     description: |
       CRITICAL: User input interpolated into prompt template.
       Use parameterized prompts or sanitize input.
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "sanitizePrompt\\("
+      - "stripInstructions\\("
 
   - id: python-prompt-fstring
     type: regex

package/src/categories/definitions/security/sql-injection.yml

@@ -88,6 +88,16 @@ detectionPatterns:
     pattern: "(query|execute|run)\\s*\\(\\s*`.*\\$\\{"
     confidence: high
     description: Detects database query with template literal interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bargs\\b"
+    sanitizers:
+      - "\\$queryRaw\\s*`"
+      - "\\bescapeSql\\("
+      - "\\bsqlstring\\.escape\\("
+      - "\\bpg\\.escapeLiteral\\("
 
   - id: ts-concat-query
     type: regex
@@ -95,6 +105,16 @@ detectionPatterns:
     pattern: "(query|execute|run)\\s*\\(.*\\s*\\+\\s*"
     confidence: medium
     description: Detects database query with string concatenation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "\\bescapeSql\\("
+      - "\\bsqlstring\\.escape\\("
+      - "\\bpg\\.escapeLiteral\\("
+      - "parseInt\\("
+      - "Number\\("
 
   - id: ts-prisma-raw-unsafe
     type: regex
@@ -102,6 +122,13 @@ detectionPatterns:
     pattern: "\\$queryRawUnsafe\\s*\\(|\\$executeRawUnsafe\\s*\\("
     confidence: high
     description: Detects Prisma unsafe raw query methods
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "\\$queryRaw\\s*`"
+      - "\\$executeRaw\\s*`"
 
   - id: ts-sequelize-literal
     type: regex
@@ -109,6 +136,9 @@ detectionPatterns:
     pattern: "sequelize\\.literal\\s*\\(\\s*`.*\\$\\{"
     confidence: high
     description: Detects Sequelize literal with interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
 
   # Generic template literal SQL patterns
   - id: ts-template-sql-select

package/src/categories/definitions/security/ssrf.yml

@@ -69,6 +69,18 @@ detectionPatterns:
     pattern: "fetch\\s*\\(.*req\\.(body|query|params)"
     confidence: high
     description: Detects fetch with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
 
   - id: ts-axios-user-url
     type: regex
@@ -76,6 +88,18 @@ detectionPatterns:
     pattern: "axios\\.(get|post|put|delete|patch)\\s*\\(.*req\\."
     confidence: high
     description: Detects axios with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
 
   - id: ts-got-user-url
     type: regex
@@ -83,6 +107,18 @@ detectionPatterns:
     pattern: "got\\s*\\(.*req\\.|got\\.(get|post)\\s*\\(.*req\\."
     confidence: high
     description: Detects got library with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
 
   - id: ts-node-fetch-user
     type: regex
@@ -90,6 +126,18 @@ detectionPatterns:
     pattern: "node-fetch.*req\\.(body|query|params)"
     confidence: high
     description: Detects node-fetch with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
 
   - id: ts-http-request-user
     type: regex
@@ -97,6 +145,18 @@ detectionPatterns:
     pattern: "http\\.request\\s*\\(.*req\\.|https\\.request\\s*\\(.*req\\."
     confidence: high
     description: Detects native http/https with user-controlled URL
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "new\\s+URL\\(.*\\)"
+      - "url\\.parse\\("
+      - "isAllowedUrl\\("
+      - "allowlist|whitelist"
+      - "isPrivateIP\\(|isInternalIP\\("
+      - "ipaddr\\.process\\("
 
 testTemplates:
   - id: pytest-ssrf

package/src/categories/definitions/security/xss.yml

@@ -63,6 +63,21 @@ detectionPatterns:
     pattern: "\\.innerHTML\\s*=|\\.outerHTML\\s*="
     confidence: high
     description: Detects direct innerHTML/outerHTML assignment
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\blocation\\.(hash|search|href)"
+      - "\\bwindow\\.location"
+      - "\\bdocument\\.cookie"
+      - "\\bURLSearchParams"
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "escapeHtml\\("
+      - "sanitizeHtml\\("
+      - "encodeURIComponent\\("
+      - "textContent\\s*="
+      - "xss\\("
 
   - id: ts-document-write
     type: regex
@@ -70,6 +85,14 @@ detectionPatterns:
     pattern: "document\\.write\\s*\\(|document\\.writeln\\s*\\("
     confidence: high
     description: Detects document.write() which is vulnerable to XSS
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\blocation\\.(hash|search|href)"
+      - "\\bURLSearchParams"
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "escapeHtml\\("
+      - "encodeURIComponent\\("
 
   - id: ts-dangerouslysetinnerhtml
     type: regex
@@ -78,6 +101,15 @@ detectionPatterns:
     confidence: medium
     description: Detects React dangerouslySetInnerHTML usage
     negativePattern: "DOMPurify\\.sanitize|sanitizeHtml|xss\\("
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\bprops\\."
+      - "\\buseSearchParams"
+      - "\\bfetch\\("
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "sanitizeHtml\\("
+      - "xss\\("
 
   - id: ts-eval-user-input
     type: regex
@@ -85,6 +117,10 @@ detectionPatterns:
     pattern: "eval\\s*\\(|new\\s+Function\\s*\\(|setTimeout\\s*\\(\\s*[`\"'].*\\$\\{"
     confidence: high
     description: Detects eval() or Function() with potential user input
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
 
   - id: ts-jquery-html
     type: regex

package/src/categories/definitions/security/xxe.yml

@@ -71,6 +71,15 @@ detectionPatterns:
     pattern: "DOMParser\\s*\\(\\)|xmldom|xml2js"
     confidence: medium
     description: Detects XML parsing libraries that may allow XXE
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "disableExternalEntities"
+      - "noent:\\s*false"
+      - "explicitCharkey"
+      - "xmlParserOptions.*noent"
 
   - id: ts-libxmljs
     type: regex
@@ -79,6 +88,14 @@ detectionPatterns:
     confidence: high
     description: Detects libxmljs which allows XXE by default
     negativePattern: "noent:\\s*false|nonet:\\s*true"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "noent:\\s*false"
+      - "nonet:\\s*true"
+      - "disableExternalEntities"
 
   - id: ts-fast-xml-parser
     type: regex
@@ -86,6 +103,14 @@ detectionPatterns:
     pattern: "XMLParser\\s*\\(\\)|fast-xml-parser"
     confidence: low
     description: Detects fast-xml-parser usage (check external entity settings)
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "processEntities:\\s*false"
+      - "disableExternalEntities"
+      - "noent:\\s*false"
 
   - id: ts-express-xml
     type: regex
@@ -93,6 +118,13 @@ detectionPatterns:
     pattern: "express-xml-bodyparser|body-parser-xml"
     confidence: medium
     description: Detects Express XML body parsers that may enable XXE
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "disableExternalEntities"
+      - "noent:\\s*false"
+      - "xmlParserOptions.*noent"
 
 testTemplates:
   - id: pytest-xxe