pumuki 6.3.270 → 6.3.271

package/core/facts/detectors/typescript/index.test.ts

@@ -19,16 +19,25 @@ import {
   hasConsoleLogCall,
   hasDebuggerStatement,
   hasDeleteOperator,
+  hasDefaultExportedApiRouteHandler,
+  hasDirectNetworkCall,
   hasEmptyCatchClause,
   hasEvalCall,
   hasExplicitAnyType,
   hasFrameworkDependencyImport,
   hasFunctionConstructorUsage,
+  hasInterpolatedUnsafeSqlCall,
+  hasNestedCallbackUsage,
+  hasNestedIfElseStatement,
+  hasNonSemanticClickableJsx,
+  hasSensitiveTokenInUrl,
+  hasWeakBcryptSaltRounds,
   hasNetworkCallWithoutErrorHandling,
   hasMixedCommandQueryClass,
   hasMixedCommandQueryInterface,
   hasUnknownWithoutGuard,
   hasRecordStringUnknownType,
+  hasRedundantAriaRoleOnSemanticJsx,
   hasOverrideMethodThrowingNotImplemented,
   hasLargeClassDeclaration,
   hasSetIntervalStringCallback,
@@ -239,6 +248,390 @@ test('hasAsyncPromiseExecutor detecta ejecutor async en new Promise', () => {
   assert.equal(hasAsyncPromiseExecutor(syncExecutorAst), false);
 });
 
+test('hasWeakBcryptSaltRounds detecta bcrypt con salt rounds inferiores a 10', () => {
+  const weakHashAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'bcrypt' },
+      property: { type: 'Identifier', name: 'hash' },
+    },
+    arguments: [
+      { type: 'Identifier', name: 'password' },
+      { type: 'NumericLiteral', value: 8 },
+    ],
+  };
+  const strongHashAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'bcrypt' },
+      property: { type: 'Identifier', name: 'hashSync' },
+    },
+    arguments: [
+      { type: 'Identifier', name: 'password' },
+      { type: 'NumericLiteral', value: 10 },
+    ],
+  };
+  const configuredRoundsAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'bcrypt' },
+      property: { type: 'Identifier', name: 'hash' },
+    },
+    arguments: [
+      { type: 'Identifier', name: 'password' },
+      { type: 'Identifier', name: 'saltRounds' },
+    ],
+  };
+
+  assert.equal(hasWeakBcryptSaltRounds(weakHashAst), true);
+  assert.equal(hasWeakBcryptSaltRounds(strongHashAst), false);
+  assert.equal(hasWeakBcryptSaltRounds(configuredRoundsAst), false);
+});
+
+test('hasInterpolatedUnsafeSqlCall detecta SQL interpolado en llamadas no parametrizadas', () => {
+  const unsafeQueryAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'db' },
+      property: { type: 'Identifier', name: 'query' },
+    },
+    arguments: [
+      {
+        type: 'TemplateLiteral',
+        expressions: [{ type: 'Identifier', name: 'userId' }],
+        quasis: [],
+      },
+    ],
+  };
+  const unsafePrismaAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'prisma' },
+      property: { type: 'Identifier', name: '$queryRawUnsafe' },
+    },
+    arguments: [
+      {
+        type: 'TemplateLiteral',
+        expressions: [{ type: 'Identifier', name: 'email' }],
+        quasis: [],
+      },
+    ],
+  };
+  const staticQueryAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'db' },
+      property: { type: 'Identifier', name: 'query' },
+    },
+    arguments: [
+      {
+        type: 'TemplateLiteral',
+        expressions: [],
+        quasis: [],
+      },
+    ],
+  };
+  const taggedTemplateAst = {
+    type: 'TaggedTemplateExpression',
+    tag: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'prisma' },
+      property: { type: 'Identifier', name: '$queryRaw' },
+    },
+    quasi: {
+      type: 'TemplateLiteral',
+      expressions: [{ type: 'Identifier', name: 'userId' }],
+      quasis: [],
+    },
+  };
+
+  assert.equal(hasInterpolatedUnsafeSqlCall(unsafeQueryAst), true);
+  assert.equal(hasInterpolatedUnsafeSqlCall(unsafePrismaAst), true);
+  assert.equal(hasInterpolatedUnsafeSqlCall(staticQueryAst), false);
+  assert.equal(hasInterpolatedUnsafeSqlCall(taggedTemplateAst), false);
+});
+
+test('hasSensitiveTokenInUrl detecta tokens sensibles en URL de llamadas de red', () => {
+  const fetchTokenAst = {
+    type: 'CallExpression',
+    callee: { type: 'Identifier', name: 'fetch' },
+    arguments: [{ type: 'StringLiteral', value: '/api/me?access_token=abc' }],
+  };
+  const axiosTemplateTokenAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'axios' },
+      property: { type: 'Identifier', name: 'get' },
+    },
+    arguments: [
+      {
+        type: 'TemplateLiteral',
+        expressions: [{ type: 'Identifier', name: 'token' }],
+        quasis: [{ type: 'TemplateElement', value: { cooked: '/api/me?token=' } }],
+      },
+    ],
+  };
+  const headerTokenAst = {
+    type: 'CallExpression',
+    callee: { type: 'Identifier', name: 'fetch' },
+    arguments: [
+      { type: 'StringLiteral', value: '/api/me' },
+      {
+        type: 'ObjectExpression',
+        properties: [
+          {
+            type: 'ObjectProperty',
+            key: { type: 'Identifier', name: 'headers' },
+            value: { type: 'ObjectExpression', properties: [] },
+          },
+        ],
+      },
+    ],
+  };
+
+  assert.equal(hasSensitiveTokenInUrl(fetchTokenAst), true);
+  assert.equal(hasSensitiveTokenInUrl(axiosTemplateTokenAst), true);
+  assert.equal(hasSensitiveTokenInUrl(headerTokenAst), false);
+});
+
+test('hasDirectNetworkCall detecta fetch y axios directos', () => {
+  const fetchAst = {
+    type: 'CallExpression',
+    callee: { type: 'Identifier', name: 'fetch' },
+    arguments: [{ type: 'StringLiteral', value: '/api/stores' }],
+  };
+  const axiosAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'axios' },
+      property: { type: 'Identifier', name: 'get' },
+    },
+    arguments: [{ type: 'StringLiteral', value: '/api/stores' }],
+  };
+  const mswAst = {
+    type: 'CallExpression',
+    callee: {
+      type: 'MemberExpression',
+      object: { type: 'Identifier', name: 'server' },
+      property: { type: 'Identifier', name: 'use' },
+    },
+    arguments: [],
+  };
+
+  assert.equal(hasDirectNetworkCall(fetchAst), true);
+  assert.equal(hasDirectNetworkCall(axiosAst), true);
+  assert.equal(hasDirectNetworkCall(mswAst), false);
+});
+
+test('hasNonSemanticClickableJsx detecta elementos no semanticos clicables sin teclado', () => {
+  const clickableDivAst = {
+    type: 'JSXOpeningElement',
+    name: { type: 'JSXIdentifier', name: 'div' },
+    attributes: [
+      { type: 'JSXAttribute', name: { type: 'JSXIdentifier', name: 'onClick' } },
+    ],
+  };
+  const keyboardAccessibleDivAst = {
+    type: 'JSXOpeningElement',
+    name: { type: 'JSXIdentifier', name: 'div' },
+    attributes: [
+      { type: 'JSXAttribute', name: { type: 'JSXIdentifier', name: 'onClick' } },
+      { type: 'JSXAttribute', name: { type: 'JSXIdentifier', name: 'onKeyDown' } },
+      { type: 'JSXAttribute', name: { type: 'JSXIdentifier', name: 'tabIndex' } },
+    ],
+  };
+  const buttonAst = {
+    type: 'JSXOpeningElement',
+    name: { type: 'JSXIdentifier', name: 'button' },
+    attributes: [
+      { type: 'JSXAttribute', name: { type: 'JSXIdentifier', name: 'onClick' } },
+    ],
+  };
+
+  assert.equal(hasNonSemanticClickableJsx(clickableDivAst), true);
+  assert.equal(hasNonSemanticClickableJsx(keyboardAccessibleDivAst), false);
+  assert.equal(hasNonSemanticClickableJsx(buttonAst), false);
+});
+
+test('hasRedundantAriaRoleOnSemanticJsx detecta roles ARIA redundantes en HTML semantico', () => {
+  const redundantButtonRoleAst = {
+    type: 'JSXOpeningElement',
+    name: { type: 'JSXIdentifier', name: 'button' },
+    attributes: [
+      {
+        type: 'JSXAttribute',
+        name: { type: 'JSXIdentifier', name: 'role' },
+        value: { type: 'StringLiteral', value: 'button' },
+      },
+    ],
+  };
+  const expressionRoleAst = {
+    type: 'JSXOpeningElement',
+    name: { type: 'JSXIdentifier', name: 'nav' },
+    attributes: [
+      {
+        type: 'JSXAttribute',
+        name: { type: 'JSXIdentifier', name: 'role' },
+        value: {
+          type: 'JSXExpressionContainer',
+          expression: { type: 'StringLiteral', value: 'navigation' },
+        },
+      },
+    ],
+  };
+  const necessaryRoleAst = {
+    type: 'JSXOpeningElement',
+    name: { type: 'JSXIdentifier', name: 'div' },
+    attributes: [
+      {
+        type: 'JSXAttribute',
+        name: { type: 'JSXIdentifier', name: 'role' },
+        value: { type: 'StringLiteral', value: 'dialog' },
+      },
+    ],
+  };
+
+  assert.equal(hasRedundantAriaRoleOnSemanticJsx(redundantButtonRoleAst), true);
+  assert.equal(hasRedundantAriaRoleOnSemanticJsx(expressionRoleAst), true);
+  assert.equal(hasRedundantAriaRoleOnSemanticJsx(necessaryRoleAst), false);
+});
+
+test('hasNestedCallbackUsage detecta callback anidado en llamadas', () => {
+  const ast = {
+    type: 'Program',
+    body: [
+      {
+        type: 'CallExpression',
+        callee: { type: 'Identifier', name: 'loadUser' },
+        arguments: [
+          {
+            type: 'ArrowFunctionExpression',
+            body: {
+              type: 'BlockStatement',
+              body: [
+                {
+                  type: 'CallExpression',
+                  callee: { type: 'Identifier', name: 'loadOrders' },
+                  arguments: [
+                    {
+                      type: 'FunctionExpression',
+                      body: { type: 'BlockStatement', body: [] },
+                    },
+                  ],
+                },
+              ],
+            },
+          },
+        ],
+      },
+    ],
+  };
+
+  assert.equal(hasNestedCallbackUsage(ast), true);
+});
+
+test('hasNestedCallbackUsage permite callbacks planos y funciones internas no pasadas como callback', () => {
+  const flatCallbackAst = {
+    type: 'CallExpression',
+    callee: { type: 'Identifier', name: 'loadUser' },
+    arguments: [
+      {
+        type: 'ArrowFunctionExpression',
+        body: { type: 'BlockStatement', body: [] },
+      },
+    ],
+  };
+  const innerFunctionAst = {
+    type: 'ArrowFunctionExpression',
+    body: {
+      type: 'BlockStatement',
+      body: [
+        {
+          type: 'FunctionDeclaration',
+          id: { type: 'Identifier', name: 'helper' },
+          body: { type: 'BlockStatement', body: [] },
+        },
+      ],
+    },
+  };
+
+  assert.equal(hasNestedCallbackUsage(flatCallbackAst), false);
+  assert.equal(hasNestedCallbackUsage(innerFunctionAst), false);
+});
+
+test('hasNestedIfElseStatement detecta if else anidado y preserva early return', () => {
+  const nestedIfElseAst = {
+    type: 'IfStatement',
+    test: { type: 'Identifier', name: 'isReady' },
+    consequent: {
+      type: 'BlockStatement',
+      body: [
+        {
+          type: 'IfStatement',
+          test: { type: 'Identifier', name: 'hasPermission' },
+          consequent: { type: 'BlockStatement', body: [] },
+          alternate: null,
+        },
+      ],
+    },
+    alternate: { type: 'BlockStatement', body: [] },
+  };
+  const elseIfAst = {
+    type: 'IfStatement',
+    test: { type: 'Identifier', name: 'isReady' },
+    consequent: { type: 'BlockStatement', body: [] },
+    alternate: {
+      type: 'IfStatement',
+      test: { type: 'Identifier', name: 'isFallback' },
+      consequent: { type: 'BlockStatement', body: [] },
+      alternate: null,
+    },
+  };
+  const earlyReturnAst = {
+    type: 'IfStatement',
+    test: { type: 'Identifier', name: 'missing' },
+    consequent: {
+      type: 'BlockStatement',
+      body: [{ type: 'ReturnStatement' }],
+    },
+    alternate: null,
+  };
+
+  assert.equal(hasNestedIfElseStatement(nestedIfElseAst), true);
+  assert.equal(hasNestedIfElseStatement(elseIfAst), true);
+  assert.equal(hasNestedIfElseStatement(earlyReturnAst), false);
+});
+
+test('hasDefaultExportedApiRouteHandler detecta handlers default de pages api', () => {
+  const defaultFunctionAst = {
+    type: 'ExportDefaultDeclaration',
+    declaration: { type: 'FunctionDeclaration', id: { type: 'Identifier', name: 'handler' } },
+  };
+  const defaultIdentifierAst = {
+    type: 'ExportDefaultDeclaration',
+    declaration: { type: 'Identifier', name: 'handler' },
+  };
+  const namedRouteHandlerAst = {
+    type: 'ExportNamedDeclaration',
+    declaration: {
+      type: 'FunctionDeclaration',
+      id: { type: 'Identifier', name: 'GET' },
+    },
+  };
+
+  assert.equal(hasDefaultExportedApiRouteHandler(defaultFunctionAst), true);
+  assert.equal(hasDefaultExportedApiRouteHandler(defaultIdentifierAst), true);
+  assert.equal(hasDefaultExportedApiRouteHandler(namedRouteHandlerAst), false);
+});
+
 test('hasWithStatement detecta with y hasDeleteOperator detecta operador delete', () => {
   const withAst = {
     type: 'Program',