redgun-security 1.1.0 → 1.3.0

package/src/local/ldap.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.go', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditLdap(projectPath, spinner) {
+  spinner.text = 'Scanning for LDAP injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /ldap\.(?:search|query|compare|modify)\s*\(\s*[^,]*,\s*(?:req|request|params|query|body|user|input|data)/gi, name: 'LDAP query with user input', severity: 'CRITICAL' },
+        { pattern: /LDAP.*(?:filter|query)\s*[:=]\s*(?:req|request|params|query|body|user)\s*\+/gi, name: 'LDAP filter concatenation with user input', severity: 'CRITICAL' },
+        { pattern: /ldap\.search\s*\(\s*[^,]*,\s*['"`][^'"`]*\$\{/gi, name: 'LDAP search with template literal user input', severity: 'CRITICAL' },
+        { pattern: /ldap\.search\s*\(\s*[^,]*,\s*['"`][^'"`]*\+/gi, name: 'LDAP search with concatenated input', severity: 'CRITICAL' },
+        { pattern: /(?:authenticate|ldap_auth|ldapauth|active.?directory)\s*\(\s*(?:req|request|params|query|body)/gi, name: 'LDAP auth with user-controlled filter', severity: 'CRITICAL' },
+        { pattern: /ldap\.escape\s*\(\s*\)|ldap\.escapeFilter/gi, name: 'LDAP escaping used (good practice)', severity: 'INFO' },
+        { pattern: /(?:ldap|AD|active.?directory).*(?:filter|query|search).*['"`]\s*\+/gi, name: 'LDAP filter concatenation detected', severity: 'HIGH' },
+        { pattern: /(?:uid|cn|mail|samaccountname)\s*=\s*(?:req|request|params|query|body)/gi, name: 'LDAP attribute from user input', severity: 'HIGH' },
+        { pattern: /ActiveDirectory\s*\(\s*\{/gi, name: 'Active Directory configuration', severity: 'INFO' },
+        { pattern: /ldapjs|passport-ldap|ldapts|node-ldap/gi, name: 'LDAP library usage', severity: 'INFO' },
+        { pattern: /(?:ldap|AD|active.?directory).*(?:URI|URL|host|server)\s*[:=]\s*['"][^'"]*['"]/gi, name: 'LDAP server config hardcoded', severity: 'LOW' },
+        { pattern: /(?:ssl|tls|starttls|ldaps).*(?:false|disabled?|no|none)/gi, name: 'LDAP without TLS/SSL', severity: 'HIGH' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'LDAP Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never concatenate user input into LDAP filters. Use parameterized LDAP queries or a safe LDAP query builder. Escape special characters (*, (, ), \\, /, &, |, !, =, <, >, ~, #) with ldap.escapeFilter(). Use LDAPS (LDAP over TLS) instead of plain LDAP.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/mobile.js

@@ -0,0 +1,71 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.xml', '.kt', '.swift', '.dart', '.json', '.plist'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'android', 'ios'];
+
+export async function auditMobile(projectPath, spinner) {
+  spinner.text = 'Scanning for mobile security issues...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:firebase|supabase|API|SECRET|TOKEN|KEY).*\s*=\s*['"][A-Za-z0-9_\-\+=\/]{20,}['"]/gi, name: 'API key/secret exposed in mobile code', severity: 'CRITICAL' },
+        { pattern: /android:allowBackup\s*=\s*"true"/gi, name: 'Android allowBackup=true (data extraction)', severity: 'MEDIUM' },
+        { pattern: /android:debuggable\s*=\s*"true"/gi, name: 'Android debuggable=true in release', severity: 'HIGH' },
+        { pattern: /android:usesCleartextTraffic\s*=\s*"true"/gi, name: 'Android cleartext (HTTP) traffic allowed', severity: 'HIGH' },
+        { pattern: /NSAppTransportSecurity.*NSAllowsArbitraryLoads/gi, name: 'iOS ATS disabled (HTTP allowed)', severity: 'HIGH' },
+        { pattern: /android:networkSecurityConfig/gi, name: 'Android custom network security config', severity: 'MEDIUM' },
+        { pattern: /(?:NSAllowsLocalNetworking|NSTemporaryExceptionAllowsInsecureHTTPLoads)/gi, name: 'iOS ATS exceptions enabled', severity: 'MEDIUM' },
+        { pattern: /android:exported\s*=\s*"true"/gi, name: 'Android component exported (IPC risk)', severity: 'MEDIUM' },
+        { pattern: /android:protectionLevel\s*=\s*"normal"/gi, name: 'Android permission protectionLevel normal', severity: 'LOW' },
+        { pattern: /deeplink|intent-filter.*data.*android:scheme/gi, name: 'Deep link / intent filter configured', severity: 'MEDIUM' },
+        { pattern: /(?:React\.Native|flutter|ionic|cordova|capacitor)/gi, name: 'Cross-platform framework usage', severity: 'INFO' },
+        { pattern: /(?:AsyncStorage|SharedPreferences|NSUserDefaults|Keychain|Keystore)/gi, name: 'Local storage usage (check encryption)', severity: 'INFO' },
+        { pattern: /ssl.*pinning|certificate.*pinning|SSLPinningPlugin|TrustKit|certificatePinner/gi, name: 'Certificate pinning implemented', severity: 'INFO' },
+        { pattern: /firebase\.io\.com|google-services\.json|GoogleService-Info\.plist/gi, name: 'Firebase config file referenced', severity: 'MEDIUM' },
+        { pattern: /(?:root|jailbreak).*detect|isRooted|isJailbroken|rootbeer|safety.?net/gi, name: 'Root/jailbreak detection', severity: 'INFO' },
+        { pattern: /(?:WebView|WKWebView).*(?:setJavaScriptEnabled|javaScriptEnabled)/gi, name: 'WebView JS enabled (XSS surface)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*') || line.startsWith('<!--')) continue;
+
+          addFinding(
+            severity,
+            'Mobile Security',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Never hardcode API keys/secrets in mobile apps. Use server-side proxying. Enable certificate pinning. Set debuggable=false for release builds. Disable allowBackup unless encrypted. Use Network Security Config to restrict cleartext traffic. Enable minify/obfuscation for production.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/padding-oracle.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java', '.c', '.cpp', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditPaddingOracle(projectPath, spinner) {
+  spinner.text = 'Scanning for padding/comression oracle vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:decrypt|decipher|unpad)\s*\([^)]*\)\s*(?:catch|if.*error)/gi, name: 'Decryption with error handling (padding oracle)', severity: 'HIGH' },
+        { pattern: /(?:padding|decrypt)\s*(?:bad|invalid|wrong|error|fail)/gi, name: 'Decryption error message (padding oracle indicator)', severity: 'HIGH' },
+        { pattern: /CBC|cipher\.final|cipher\.update/gi, name: 'CBC mode encryption (padding oracle vector)', severity: 'MEDIUM' },
+        { pattern: /createDecipheriv\s*\(\s*['"](?:aes|des)-.*-(?:cbc|ecb)/gi, name: 'CBC/ECB mode decrypt (potential padding oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:error|exception|err)\s*\(\s*['"](?:bad|invalid|wrong) (?:padding|decrypt|cipher)/gi, name: 'Padding error in response', severity: 'HIGH' },
+        { pattern: /OAEP|RSASSA-PSS|RSAES-OAEP/gi, name: 'RSA OAEP padding (good)', severity: 'INFO' },
+        { pattern: /PKCS|pkcs/i, name: 'PKCS padding reference', severity: 'INFO' },
+        { pattern: /gzip|deflate|compress|zlib|Content-Encoding/gi, name: 'Compression usage (CRIME/BREACH vector)', severity: 'LOW' },
+        { pattern: /(?:token|session|cookie|jwt).*(?:compress|gzip|deflate)/gi, name: 'Compression of secrets/tokens (CRIME/BREACH)', severity: 'MEDIUM' },
+        { pattern: /(?:https|tls|ssl).*(?:compress|gzip|deflate)/gi, name: 'TLS compression reference (CRIME)', severity: 'MEDIUM' },
+        { pattern: /\bcrypto\.createDecipheriv\b/gi, name: 'Node.js createDecipheriv (check error handling)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Padding / Compression Oracle',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use authenticated encryption (AES-GCM, ChaCha20-Poly1305) instead of CBC. Never leak decryption errors to clients. Add random MAC before encrypting. Disable TLS compression. Avoid compressing response bodies that contain secrets or CSRF tokens.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/saml.js

@@ -0,0 +1,72 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.java', '.go', '.xml', '.env', '.conf', '.yml', '.yaml'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditSaml(projectPath, spinner) {
+  spinner.text = 'Scanning for SAML/SSO vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /signature\s*.*(?:skip|disabled?|false|none)/gi, name: 'SAML signature validation disabled/skipped', severity: 'CRITICAL' },
+        { pattern: /(?:validate|verify|check).*signature\s*.*(?:false|null|undefined|skip)/gi, name: 'Signature verification disabled', severity: 'CRITICAL' },
+        { pattern: /wantAssertionsSigned\s*[:=]\s*false/gi, name: 'Assertions signing not required', severity: 'HIGH' },
+        { pattern: /wantAuthnRequestsSigned\s*[:=]\s*false/gi, name: 'AuthnRequest signing not required', severity: 'HIGH' },
+        { pattern: /(?:IDP|idp|identityProvider).*(?:metadata|config|cert|certificate).*url\s*=.*(?:http:\/\/|request)/gi, name: 'IdP metadata from dynamic/untrusted URL', severity: 'HIGH' },
+        { pattern: /saml2\.validatePostResponse\s*\(/gi, name: 'SAML response validation (check for XSW)', severity: 'MEDIUM' },
+        { pattern: /saml2\.validateRedirect\s*\(/gi, name: 'SAML redirect binding', severity: 'INFO' },
+        { pattern: /(?:audience|AudienceRestriction)\s*.*(?:skip|disabled?|false)/gi, name: 'Audience restriction disabled', severity: 'HIGH' },
+        { pattern: /(?:entityID|issuer)\s*.*(?:check|validate)\s*.*(?:false|skip)/gi, name: 'Entity ID validation skipped', severity: 'MEDIUM' },
+        { pattern: /(?:notBefore|NotOnOrAfter|notOnOrAfter|clockSkew|skew)\s*[:=]\s*\d{4,}/gi, name: 'Large SAML clock skew (replay risk)', severity: 'LOW' },
+        { pattern: /NameID\s*.*(?:req|request|input|body|query|params|user)/gi, name: 'NameID from user input', severity: 'CRITICAL' },
+        { pattern: /(?:attributes?|AttributeStatement)\s*.*(?:req|request|input|body)/gi, name: 'SAML attributes from user input', severity: 'CRITICAL' },
+        { pattern: /InResponseTo\s*.*(?:skip|disabled?|false|null)/gi, name: 'InResponseTo validation skipped', severity: 'HIGH' },
+        { pattern: /(?:SP|serviceProvider|SAML).*(?:cert|certificate)\s*[:=]\s*['"]/gi, name: 'SAML certificate hardcoded in code', severity: 'LOW' },
+        { pattern: /XMLSignature\s*\(\s*\)/gi, name: 'XML signature object (check for XSW bypass)', severity: 'MEDIUM' },
+        { pattern: /(?:find|query|select)(?:Selector)?\s*\(\s*['"]\/*\/(?:\w+:)?Assertion['"]\s*\)/gi, name: 'XPath query for Assertion (XSW vulnerability)', severity: 'HIGH' },
+        { pattern: /(?:find|query|select)(?:Selector)?\s*\(\s*['"](?:\w+:)?(?:AttributeStatement|NameID|Subject)['"]\s*\)/gi, name: 'XPath query for SAML elements (check for XSW)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'SAML/SSO Attacks',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Validate SAML signatures with trusted Identity Provider certificates. Never accept unsigned assertions. Use XML Signature Wrapping (XSW) defenses: validate the exact XPath of signed elements. Always enforce audience restriction and InResponseTo. Do not accept NameID or attributes from user input.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 1024 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/service-worker.js

@@ -0,0 +1,64 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.html', '.htm'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditServiceWorker(projectPath, spinner) {
+  spinner.text = 'Scanning for Service Worker abuse vectors...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /navigator\.serviceWorker\.register\s*\(/gi, name: 'Service Worker registration', severity: 'INFO' },
+        { pattern: /importScripts\s*\(/gi, name: 'Service Worker importScripts (XSS via sw)', severity: 'HIGH' },
+        { pattern: /self\.addEventListener\s*\(\s*['"]fetch['"]/gi, name: 'Service Worker fetch listener', severity: 'INFO' },
+        { pattern: /self\.addEventListener\s*\(\s*['"]message['"]/gi, name: 'Service Worker message listener (postMessage attack)', severity: 'MEDIUM' },
+        { pattern: /respondWith\s*\(\s*fetch\s*\(\s*event\.request\s*\)/gi, name: 'SW passthrough fetch (check URL rewriting)', severity: 'MEDIUM' },
+        { pattern: /event\.respondWith\s*\(\s*new\s+Response/gi, name: 'SW custom response (check for content injection)', severity: 'MEDIUM' },
+        { pattern: /CacheStorage|self\.caches\s*\./gi, name: 'Cache API usage (cache poisoning via SW)', severity: 'LOW' },
+        { pattern: /Clients\.claim\s*\(\s*\)|self\.clients\.claim/gi, name: 'Service Worker immediate claim (malicious takeover)', severity: 'HIGH' },
+        { pattern: /self\.skipWaiting/gi, name: 'SW skipWaiting (immediate activation)', severity: 'MEDIUM' },
+        { pattern: /navigator\.serviceWorker\.getRegistration|navigator\.serviceWorker\.controller/gi, name: 'SW control check', severity: 'INFO' },
+        { pattern: /self\.registration\.unregister/gi, name: 'SW unregistration', severity: 'LOW' },
+        { pattern: /PushManager|pushManager\.subscribe|showNotification/gi, name: 'Push notifications (notification spam vector)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            severity,
+            'Service Worker / WebRTC',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Restrict Service Worker scope (/). Use importScripts from same-origin only. Validate fetch events to prevent response tampering. Monitor dangerously overwritable headers. Limit Cache API usage to prevent storage exhaustion.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/timing.js

@@ -0,0 +1,66 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditTiming(projectPath, spinner) {
+  spinner.text = 'Scanning for timing side-channel vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /(?:password|secret|token|key|hash|pin).*\s*={2,3}\s*(?:req|request|params|body|input)/gi, name: 'String comparison with user input (timing leak)', severity: 'HIGH' },
+        { pattern: /(?:password|secret|token|key|hash|pin)\s*===\s*/gi, name: 'Strict comparison used (good for timing)', severity: 'INFO' },
+        { pattern: /crypto\.timingSafeEqual|timingsafe\b/gi, name: 'Timing-safe comparison used (good)', severity: 'INFO' },
+        { pattern: /\b(?:sleep|delay|wait|setTimeout|setInterval)\s*\(\s*(?:req|request|params|query|body)/gi, name: 'User-controlled delay/sleep (potential timing oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:if|when)\s*\([^)]*(?:req|request|params|query|body)[^)]*\)\s*(?:\{|\n)\s*(?:sleep|delay|setTimeout)/gi, name: 'Conditional sleep based on user input', severity: 'HIGH' },
+        { pattern: /(?:login|auth|signin).*select.*password.*(?:req|request|params)/gi, name: 'Password DB lookup (check for timing leak on user-not-found)', severity: 'MEDIUM' },
+        { pattern: /bcrypt\.compare|bcrypt\.compareSync|argon2\.verify/gi, name: 'bcrypt/argon2 verification (timing-safe)', severity: 'INFO' },
+        { pattern: /(?:hash|digest|hmac)\s*\(\s*['"]?(?:md5|sha1|sha256|sha512)['"]?\s*,/gi, name: 'Hash function usage (check HMAC timing)', severity: 'LOW' },
+        { pattern: /(?:for|while)\s*\([^)]*(?:req|request|params|query|body)[^)]*\)/gi, name: 'Loop iteration from user input (DoS + timing oracle)', severity: 'MEDIUM' },
+        { pattern: /(?:username|email|user).*exists|(?:findOne|findUser)\s*\(\s*\{.*username/gi, name: 'User existence check (potential oracle)', severity: 'LOW' },
+        { pattern: /PasswordResetListener|SentMessage|mail.*send.*token/gi, name: 'Email sending after reset request (timing oracle on user existence)', severity: 'LOW' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Timing Side-Channels',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use constant-time comparison (timingSafeEqual) for secrets. Ensure login returns identical responses regardless of user existence. Add random jitter to email sending. Never use sleep/delay from user input.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/web3.js

@@ -0,0 +1,73 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.sol', '.rs', '.js', '.ts', '.jsx', '.tsx', '.py', '.vy', '.move'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor', 'out'];
+
+export async function auditWeb3(projectPath, spinner) {
+  spinner.text = 'Scanning for Web3/smart contract vulnerabilities...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /reentrancy|re-?entrant|nonReentrant/gi, name: 'Reentrancy guard pattern', severity: 'INFO' },
+        { pattern: /\.call\s*\(\s*\{\s*value:|\.transfer\s*\(|\.send\s*\(/gi, name: 'ETH transfer method (check reentrancy)', severity: 'HIGH' },
+        { pattern: /(?:transfer|send)\s*\(\s*(?:msg\.value|address\(this\)\.balance)/gi, name: 'Full balance transfer (reentrancy risk)', severity: 'CRITICAL' },
+        { pattern: /(?:balances?|mapping).*\s*\[.*\s*\]\s*[-+]=?\s*/gi, name: 'Balance update (check CEI pattern)', severity: 'MEDIUM' },
+        { pattern: /delegatecall|delegatecall\s*\(/gi, name: 'delegatecall usage (storage collision risk)', severity: 'CRITICAL' },
+        { pattern: /selfdestruct|suicide\s*\(/gi, name: 'selfdestruct usage', severity: 'HIGH' },
+        { pattern: /tx\.origin\s*={2,3}|require\s*\(\s*tx\.origin/gi, name: 'tx.origin used for auth (phishing risk)', severity: 'CRITICAL' },
+        { pattern: /block\.timestamp.*==|block\.timestamp.*<=|block\.timestamp.*>=/gi, name: 'block.timestamp in strict comparison', severity: 'MEDIUM' },
+        { pattern: /blockhash\s*\(|block\.blockhash/gi, name: 'Blockhash usage (predictable in multi-block context)', severity: 'MEDIUM' },
+        { pattern: /onlyOwner|Ownable|owner\s*=\s*msg\.sender/gi, name: 'Ownable pattern (single point of failure)', severity: 'MEDIUM' },
+        { pattern: /mint\s*\(\s*.*address|_mint\s*\(/gi, name: 'Mint function (check access control)', severity: 'HIGH' },
+        { pattern: /proxy|implementation|upgrade|initialize/gi, name: 'Upgradeable/proxy pattern', severity: 'INFO' },
+        { pattern: /storage\s+|assembly\s*\{.*sload|sstore/gi, name: 'Inline assembly with storage access', severity: 'HIGH' },
+        { pattern: /unchecked\s*\{|unchecked\s*\(/gi, name: 'unchecked block (integer overflow risk)', severity: 'MEDIUM' },
+        { pattern: /uint\d+\s*\+\s*|uint\d+\s*-\s*|uint\d+\s*\*\s*/gi, name: 'Integer arithmetic (check overflow/underflow if Solidity < 0.8)', severity: 'MEDIUM' },
+        { pattern: /msg\.value\s*>=\s*0|msg\.value\s*==\s*0/gi, name: 'msg.value comparison (check edge cases)', severity: 'LOW' },
+        { pattern: /(?:constructor|init)\s*\([^)]*(?:_proxy|_impl|_implementation)/gi, name: 'Proxy initialization (check for double-init)', severity: 'HIGH' },
+        { pattern: /(?:deadline|expiry|expires).*(?:require|if|assert)\s*\(/gi, name: 'Deadline check (frontrunning protection)', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'Web3 / Smart Contracts',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use Checks-Effects-Interactions pattern. Use ReentrancyGuard from OpenZeppelin. Verify proxy initializer is only called once. Use msg.sender instead of tx.origin for auth. Use block.timestamp >= for time comparisons. Run slither/aderyn for deeper analysis.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 256 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/xpath-ssi.js

@@ -0,0 +1,67 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditXpathSsi(projectPath, spinner) {
+  spinner.text = 'Scanning for XPath & SSI injection...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const patterns = [
+        { pattern: /XPath\.evaluate\s*\(\s*(?:req|request|params|query|body|user)/gi, name: 'XPath evaluate with user input', severity: 'CRITICAL' },
+        { pattern: /xpath\.select\s*\(\s*(?:req|request|params|query|body)/gi, name: 'XPath select with user input', severity: 'CRITICAL' },
+        { pattern: /(?:find|query|select)\s*\(\s*['"`]\/\/(?:\w+::)?(\w+)\[.*\$\{/gi, name: 'XPath query with template literal', severity: 'CRITICAL' },
+        { pattern: /(?:find|query|select)\s*\(\s*['"`]\/\/(?:\w+::)?(\w+)\[.*\+/gi, name: 'XPath query with concatenated input', severity: 'CRITICAL' },
+        { pattern: /SimpleXMLElement.*xpath\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP SimpleXML xpath user input', severity: 'CRITICAL' },
+        { pattern: /DOMXPath.*query\s*\(\s*\$_(?:GET|POST|REQUEST)/gi, name: 'PHP DOMXPath query user input', severity: 'CRITICAL' },
+        { pattern: /xpath\.compile\s*\(\s*(?:req|request|input)/gi, name: 'XPath compile with user input', severity: 'HIGH' },
+        { pattern: /<!--#\s*(?:include|exec|echo|fsize|flastmod|config)/gi, name: 'Server-Side Includes (SSI) in templates', severity: 'HIGH' },
+        { pattern: /<!--#echo\s+var|<!--#include\s+(?:virtual|file)|<!--#exec/gi, name: 'SSI directives in source', severity: 'CRITICAL' },
+        { pattern: /(?:shtml|stm|shtm)/gi, name: 'SSI file extension (.shtml)', severity: 'MEDIUM' },
+        { pattern: /Options\s+\+Includes|AddHandler.*server-parsed/gi, name: 'Apache SSI enabled', severity: 'LOW' },
+        { pattern: /(?:include|exec|echo)\s*\(\s*(?:req|request|params|input)/gi, name: 'Server include with user input', severity: 'CRITICAL' },
+      ];
+
+      for (const { pattern, name, severity } of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+          if (line.startsWith('//') || line.startsWith('#') || line.startsWith('*')) continue;
+
+          addFinding(
+            severity,
+            'XPath / SSI Injection',
+            name,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 120)}`,
+            'Use parameterized XPath queries. Sanitize input against special chars (, ), [, ], :, *, /, @, !, =, >, <. Disable SSI unless needed (Options -Includes). Never pass user input to SSI directives.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}