redgun-security 1.0.0

package/src/local/deserialization.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { DESERIALIZATION_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.py', '.rb', '.php', '.java', '.cs', '.go'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'target'];
+
+export async function auditDeserialization(projectPath, spinner) {
+  spinner.text = 'Scanning for insecure deserialization (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of DESERIALIZATION_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          addFinding(
+            'CRITICAL',
+            'Deserialization (HackTricks)',
+            'Insecure deserialization detected',
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}\nPattern: ${match[0].substring(0, 60)}`,
+            'Never deserialize untrusted data. Use safe alternatives: JSON for data exchange, validate/whitelist classes before deserializing. For Python: use json instead of pickle. For Java: use allowlist-based ObjectInputFilter. For PHP: use json_decode instead of unserialize.'
+          );
+        }
+      }
+
+      const yamlUnsafe = /yaml\.load\s*\([^)]*\)/g;
+      let yamlMatch;
+      while ((yamlMatch = yamlUnsafe.exec(content)) !== null) {
+        if (!content.substring(yamlMatch.index, yamlMatch.index + 100).includes('SafeLoader')) {
+          const lineNum = content.substring(0, yamlMatch.index).split('\n').length;
+          addFinding(
+            'HIGH',
+            'Deserialization (HackTricks)',
+            'YAML load without SafeLoader',
+            `File: ${relativePath}:${lineNum}`,
+            'Use yaml.safe_load() or yaml.load(data, Loader=yaml.SafeLoader) to prevent arbitrary code execution.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/env.js

@@ -0,0 +1,80 @@
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { addFinding } from '../core/findings.js';
+
+export async function auditEnv(projectPath, spinner) {
+  spinner.text = 'Checking environment file security...';
+
+  const gitignorePath = join(projectPath, '.gitignore');
+  const hasGitignore = existsSync(gitignorePath);
+  let gitignoreContent = '';
+
+  if (hasGitignore) {
+    gitignoreContent = readFileSync(gitignorePath, 'utf-8');
+  }
+
+  const envFiles = ['.env', '.env.local', '.env.production', '.env.development'];
+
+  for (const envFile of envFiles) {
+    const envPath = join(projectPath, envFile);
+    if (!existsSync(envPath)) continue;
+
+    if (!hasGitignore || !gitignoreContent.includes('.env')) {
+      addFinding(
+        'CRITICAL',
+        'Environment Files',
+        `${envFile} may not be in .gitignore`,
+        `File ${envFile} exists but .gitignore does not exclude .env files`,
+        'Add .env* to your .gitignore file immediately'
+      );
+    }
+
+    try {
+      const content = readFileSync(envPath, 'utf-8');
+      const lines = content.split('\n');
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim();
+        if (!line || line.startsWith('#')) continue;
+
+        const [key] = line.split('=');
+        if (!key) continue;
+
+        if (/(?:SECRET|PASSWORD|PRIVATE|TOKEN|KEY|API_KEY)(?:_|$)/i.test(key)) {
+          const value = line.split('=').slice(1).join('=').trim().replace(/['"]/g, '');
+          if (value && value !== '' && !value.startsWith('${') && value !== 'changeme' && value !== 'your-key-here') {
+            addFinding(
+              'HIGH',
+              'Environment Files',
+              `Real secret in ${envFile}`,
+              `${key} contains a real value (line ${i + 1})`,
+              'Ensure this file is never committed. Use a secrets manager for production.'
+            );
+          }
+        }
+      }
+    } catch {}
+  }
+
+  const exampleEnv = join(projectPath, '.env.example');
+  if (existsSync(exampleEnv)) {
+    try {
+      const content = readFileSync(exampleEnv, 'utf-8');
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim();
+        if (!line || line.startsWith('#')) continue;
+        const value = line.split('=').slice(1).join('=').trim().replace(/['"]/g, '');
+        if (value && value.length > 20 && !/^(your|example|changeme|placeholder|xxx)/i.test(value)) {
+          addFinding(
+            'MEDIUM',
+            'Environment Files',
+            'Possible real secret in .env.example',
+            `Line ${i + 1}: ${line.split('=')[0]}=*** (value looks real, not placeholder)`,
+            'Replace with a placeholder value like "your-api-key-here"'
+          );
+        }
+      }
+    } catch {}
+  }
+}

package/src/local/headers-config.js

@@ -0,0 +1,70 @@
+import { readFileSync, existsSync } from 'fs';
+import { join } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const CONFIG_FILES = [
+  'nuxt.config.js', 'nuxt.config.ts', 'next.config.js', 'next.config.mjs',
+  'vercel.json', 'netlify.toml', '_headers', 'nginx.conf',
+  'server.js', 'server.ts', 'app.js', 'app.ts', 'index.js', 'index.ts',
+];
+
+export async function auditHeadersConfig(projectPath, spinner) {
+  spinner.text = 'Checking security headers configuration...';
+
+  let foundCsp = false;
+  let foundHsts = false;
+  let foundXfo = false;
+
+  for (const configFile of CONFIG_FILES) {
+    const filePath = join(projectPath, configFile);
+    if (!existsSync(filePath)) continue;
+
+    try {
+      const content = readFileSync(filePath, 'utf-8');
+
+      if (/content-security-policy|contentSecurityPolicy|csp/i.test(content)) foundCsp = true;
+      if (/strict-transport-security|hsts/i.test(content)) foundHsts = true;
+      if (/x-frame-options|frameOptions/i.test(content)) foundXfo = true;
+
+      if (/unsafe-inline|unsafe-eval/i.test(content)) {
+        addFinding(
+          'MEDIUM',
+          'Headers Config',
+          'CSP uses unsafe-inline or unsafe-eval',
+          `File: ${configFile}`,
+          'Remove unsafe-inline/unsafe-eval from CSP. Use nonce-based or hash-based CSP instead.'
+        );
+      }
+    } catch {}
+  }
+
+  if (!foundCsp) {
+    addFinding(
+      'MEDIUM',
+      'Headers Config',
+      'No Content-Security-Policy configured',
+      'CSP header not found in configuration files',
+      'Add a strict CSP header to prevent XSS and data injection attacks'
+    );
+  }
+
+  if (!foundHsts) {
+    addFinding(
+      'MEDIUM',
+      'Headers Config',
+      'No Strict-Transport-Security configured',
+      'HSTS header not found in configuration files',
+      'Add HSTS header with max-age=31536000; includeSubDomains; preload'
+    );
+  }
+
+  if (!foundXfo) {
+    addFinding(
+      'LOW',
+      'Headers Config',
+      'No X-Frame-Options configured',
+      'X-Frame-Options not found in configuration',
+      'Add X-Frame-Options: DENY or use CSP frame-ancestors directive'
+    );
+  }
+}

package/src/local/index.js

@@ -0,0 +1,46 @@
+import { auditSecrets } from './secrets.js';
+import { auditEnv } from './env.js';
+import { auditDependencies } from './dependencies.js';
+import { auditCodeVulnerabilities } from './code-vulnerabilities.js';
+import { auditAuth } from './auth.js';
+import { auditHeadersConfig } from './headers-config.js';
+import { auditSsrf } from './ssrf.js';
+import { auditSsti } from './ssti.js';
+import { auditDeserialization } from './deserialization.js';
+import { auditPrototypePollution } from './prototype-pollution.js';
+import { auditJwt } from './jwt.js';
+import { auditPathTraversal } from './path-traversal.js';
+import { auditCommandInjection } from './command-injection.js';
+import { auditCrypto } from './crypto.js';
+
+export const LOCAL_MODULES = [
+  { name: 'Code Secrets', value: 'secrets', fn: auditSecrets },
+  { name: 'Environment Files', value: 'env', fn: auditEnv },
+  { name: 'Dependencies (npm audit)', value: 'deps', fn: auditDependencies },
+  { name: 'Code Vulnerabilities (SQLi, XSS)', value: 'codevuln', fn: auditCodeVulnerabilities },
+  { name: 'Auth & Middleware', value: 'auth', fn: auditAuth },
+  { name: 'Headers Config (CSP/HSTS)', value: 'headers', fn: auditHeadersConfig },
+  { name: 'SSRF Detection (HackTricks)', value: 'ssrf', fn: auditSsrf },
+  { name: 'SSTI Detection (HackTricks)', value: 'ssti', fn: auditSsti },
+  { name: 'Insecure Deserialization (HackTricks)', value: 'deser', fn: auditDeserialization },
+  { name: 'Prototype Pollution (HackTricks)', value: 'proto', fn: auditPrototypePollution },
+  { name: 'JWT Vulnerabilities (HackTricks)', value: 'jwt', fn: auditJwt },
+  { name: 'Path Traversal / LFI (HackTricks)', value: 'lfi', fn: auditPathTraversal },
+  { name: 'Command Injection (HackTricks)', value: 'cmdi', fn: auditCommandInjection },
+  { name: 'Weak Cryptography (HackTricks)', value: 'crypto', fn: auditCrypto },
+];
+
+export async function runLocalAudit(projectPath, spinner, modules = null) {
+  const toRun = modules
+    ? LOCAL_MODULES.filter((m) => modules.includes(m.value))
+    : LOCAL_MODULES;
+
+  for (const mod of toRun) {
+    try {
+      spinner.text = `Running: ${mod.name}...`;
+      await mod.fn(projectPath, spinner);
+    } catch (err) {
+      spinner.text = `Error in ${mod.name}: ${err.message}`;
+    }
+  }
+}

package/src/local/jwt.js

@@ -0,0 +1,86 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { JWT_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditJwt(projectPath, spinner) {
+  spinner.text = 'Scanning for JWT vulnerabilities (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of JWT_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const matchText = match[0];
+
+          let severity = 'HIGH';
+          let title = 'JWT security issue';
+
+          if (/none/i.test(matchText)) {
+            severity = 'CRITICAL';
+            title = 'JWT algorithm "none" attack - signature bypass';
+          } else if (/verify.*false/i.test(matchText)) {
+            severity = 'CRITICAL';
+            title = 'JWT verification disabled';
+          } else if (/ignoreExpiration.*true/i.test(matchText)) {
+            severity = 'HIGH';
+            title = 'JWT expiration check disabled';
+          } else if (/jwt\.decode/i.test(matchText)) {
+            severity = 'MEDIUM';
+            title = 'JWT decoded without verification';
+          } else if (/HS256/i.test(matchText)) {
+            severity = 'MEDIUM';
+            title = 'JWT uses HS256 - vulnerable to key confusion if RS256 expected';
+          }
+
+          addFinding(
+            severity,
+            'JWT Attacks (HackTricks)',
+            title,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Always verify JWT signatures. Use RS256/ES256 for asymmetric signing. Never use algorithm "none". Set and enforce expiration. Use a well-tested JWT library.'
+          );
+        }
+      }
+
+      const weakSecret = /(?:jwt|token).*secret\s*[:=]\s*['"][^'"]{1,16}['"]/gi;
+      let secretMatch;
+      while ((secretMatch = weakSecret.exec(content)) !== null) {
+        const lineNum = content.substring(0, secretMatch.index).split('\n').length;
+        addFinding(
+          'HIGH',
+          'JWT Attacks (HackTricks)',
+          'Weak JWT signing secret (< 16 chars)',
+          `File: ${relativePath}:${lineNum}`,
+          'Use a strong secret (256+ bits). Store in environment variable. Consider asymmetric signing (RS256).'
+        );
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/path-traversal.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { PATH_TRAVERSAL_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditPathTraversal(projectPath, spinner) {
+  spinner.text = 'Scanning for Path Traversal / LFI (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of PATH_TRAVERSAL_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'CRITICAL',
+            'Path Traversal (HackTricks)',
+            'Local File Inclusion - user input in file path',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Never use user input directly in file paths. Use path.resolve() and verify the resolved path starts with the expected base directory. Strip ../ sequences. Use a whitelist of allowed filenames when possible.'
+          );
+        }
+      }
+
+      const includePatterns = [
+        /(?:include|require|require_once|include_once)\s*\(\s*\$_(?:GET|POST|REQUEST)/gi,
+        /(?:file_get_contents|fopen|readfile)\s*\(\s*\$_(?:GET|POST|REQUEST)/gi,
+        /open\s*\(\s*(?:request\.args|request\.form)/gi,
+      ];
+
+      for (const pattern of includePatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'CRITICAL',
+            'Path Traversal (HackTricks)',
+            'Remote/Local File Inclusion via user input',
+            `File: ${relativePath}:${lineNum}`,
+            'Never include files based on user input. If needed, use a strict whitelist mapping.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/prototype-pollution.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { PROTOTYPE_POLLUTION_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '.next'];
+
+export async function auditPrototypePollution(projectPath, spinner) {
+  spinner.text = 'Scanning for Prototype Pollution (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of PROTOTYPE_POLLUTION_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'HIGH',
+            'Prototype Pollution (HackTricks)',
+            'Potential prototype pollution vector',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Sanitize object keys before merging. Block __proto__, constructor, prototype keys. Use Object.create(null) for dictionary objects. Freeze Object.prototype in critical paths.'
+          );
+        }
+      }
+
+      const recursiveMerge = /function\s+\w*[Mm]erge\s*\([^)]*\)\s*\{[^}]*for\s*\(/g;
+      let mergeMatch;
+      while ((mergeMatch = recursiveMerge.exec(content)) !== null) {
+        const lineNum = content.substring(0, mergeMatch.index).split('\n').length;
+        if (!content.substring(mergeMatch.index, mergeMatch.index + 500).includes('__proto__')) {
+          addFinding(
+            'MEDIUM',
+            'Prototype Pollution (HackTricks)',
+            'Custom merge function without __proto__ protection',
+            `File: ${relativePath}:${lineNum}`,
+            'Add __proto__ and constructor.prototype key filtering to custom merge/deep-clone functions.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/secrets.js

@@ -0,0 +1,92 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { SECRET_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = [
+  '.js', '.ts', '.jsx', '.tsx', '.mjs', '.cjs',
+  '.py', '.rb', '.php', '.go', '.java', '.cs',
+  '.vue', '.svelte', '.astro', '.html', '.yml', '.yaml',
+  '.json', '.toml', '.cfg', '.conf', '.ini',
+];
+
+const IGNORE_DIRS = [
+  'node_modules', '.git', 'dist', 'build', '.next', '.nuxt',
+  '__pycache__', 'venv', '.venv', 'vendor', 'target',
+  '.cache', 'coverage', '.output',
+];
+
+export async function auditSecrets(projectPath, spinner) {
+  spinner.text = 'Scanning for hardcoded secrets...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const lines = content.split('\n');
+
+      for (const [name, pattern] of Object.entries(SECRET_PATTERNS)) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+
+          if (isComment(line)) continue;
+          if (isTestOrExample(file)) continue;
+
+          const severity = getSeverity(name);
+          const relativePath = file.replace(projectPath, '.');
+          addFinding(
+            severity,
+            'Code Secrets',
+            `${name} found in source code`,
+            `File: ${relativePath}:${lineNum}\nValue: ${maskSecret(match[0])}`,
+            `Move this secret to environment variables. Use .env files (not committed) and access via process.env.`
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry)) continue;
+      if (entry.startsWith('.') && entry !== '.env.example') continue;
+
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) {
+          getFiles(fullPath, files);
+        } else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase())) {
+          if (stat.size < 1024 * 1024) files.push(fullPath);
+        }
+      } catch {}
+    }
+  } catch {}
+  return files;
+}
+
+function isComment(line) {
+  return line.startsWith('//') || line.startsWith('#') || line.startsWith('*') || line.startsWith('/*');
+}
+
+function isTestOrExample(file) {
+  return /\.(test|spec|example|sample|mock)\./i.test(file) || /__(tests?|mocks?)__/i.test(file);
+}
+
+function getSeverity(name) {
+  if (/private key|service.role|secret.key|aws.secret/i.test(name)) return 'CRITICAL';
+  if (/stripe|database|openai|anthropic/i.test(name)) return 'HIGH';
+  if (/password|token/i.test(name)) return 'HIGH';
+  return 'MEDIUM';
+}
+
+function maskSecret(value) {
+  if (value.length <= 8) return '***';
+  return value.substring(0, 4) + '...' + value.substring(value.length - 4);
+}

package/src/local/ssrf.js

@@ -0,0 +1,70 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { SSRF_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '.next', '__pycache__', 'vendor'];
+
+export async function auditSsrf(projectPath, spinner) {
+  spinner.text = 'Scanning for SSRF vulnerabilities (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of SSRF_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'CRITICAL',
+            'SSRF (HackTricks)',
+            'Server-Side Request Forgery - user-controlled URL',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Validate and whitelist allowed URLs/domains. Block internal IPs (127.0.0.1, 10.x, 169.254.169.254). Use URL parsing to prevent bypasses like http://127.0.0.1@evil.com'
+          );
+        }
+      }
+
+      const urlFetchPatterns = [
+        /(?:url|uri|link|href|src|endpoint|webhook|callback|redirect|proxy|forward)\s*=\s*(?:req|params|query|body)/gi,
+        /(?:image|avatar|icon|logo|file)_?(?:url|uri)\s*=\s*(?:req|params|query|body)/gi,
+      ];
+
+      for (const pattern of urlFetchPatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'HIGH',
+            'SSRF (HackTricks)',
+            'User-controlled URL parameter (potential SSRF)',
+            `File: ${relativePath}:${lineNum}\nPattern: ${match[0].substring(0, 80)}`,
+            'Implement URL validation: whitelist allowed protocols (http/https only), block private IP ranges, use DNS resolution checks, consider using a proxy with egress filtering.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}