seaworthycode 1.1.1 → 1.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (68) hide show
  1. package/dist/index.js +269 -59
  2. package/dist/index.js.map +1 -1
  3. package/package.json +16 -12
  4. package/rules/external/configuration/insecure-cookie-flags.test.yaml +114 -0
  5. package/rules/external/configuration/insecure-cookie-flags.yaml +77 -0
  6. package/rules/external/configuration/missing-ssl-verification.test.yaml +130 -0
  7. package/rules/external/configuration/missing-ssl-verification.yaml +123 -0
  8. package/rules/external/data-exposure/debug-artifacts.test.yaml +143 -0
  9. package/rules/external/data-exposure/debug-artifacts.yaml +57 -0
  10. package/rules/external/data-exposure/hardcoded-ip.test.yaml +131 -0
  11. package/rules/external/data-exposure/hardcoded-ip.yaml +67 -0
  12. package/rules/external/data-exposure/localstorage-sensitive-data.test.yaml +58 -0
  13. package/rules/external/data-exposure/localstorage-sensitive-data.yaml +60 -0
  14. package/rules/external/dependencies/deprecated-functions.test.yaml +92 -0
  15. package/rules/external/dependencies/deprecated-functions.yaml +66 -0
  16. package/rules/external/ops/hardcoded-port.test.yaml +141 -0
  17. package/rules/external/ops/hardcoded-port.yaml +91 -0
  18. package/rules/external/ops/insecure-file-permissions.test.yaml +111 -0
  19. package/rules/external/ops/insecure-file-permissions.yaml +91 -0
  20. package/rules/external/resilience/missing-memory-limit.test.yaml +54 -0
  21. package/rules/external/resilience/missing-memory-limit.yaml +59 -0
  22. package/rules/external/resilience/missing-timeout-config.test.yaml +179 -0
  23. package/rules/external/resilience/missing-timeout-config.yaml +124 -0
  24. package/rules/external/security/broken-crypto-algorithm.test.yaml +104 -0
  25. package/rules/external/security/broken-crypto-algorithm.yaml +79 -0
  26. package/rules/external/security/http-method-override.test.yaml +40 -0
  27. package/rules/external/security/http-method-override.yaml +35 -0
  28. package/rules/external/security/http-no-tls.test.yaml +115 -0
  29. package/rules/external/security/http-no-tls.yaml +59 -0
  30. package/rules/external/security/path-traversal.test.yaml +188 -0
  31. package/rules/external/security/path-traversal.yaml +210 -0
  32. package/rules/external/security/unsafe-innerhtml.test.yaml +72 -0
  33. package/rules/external/security/unsafe-innerhtml.yaml +46 -0
  34. package/rules/external/security/untrusted-deserialization.test.yaml +79 -0
  35. package/rules/external/security/untrusted-deserialization.yaml +48 -0
  36. package/rules/external/security/weak-encryption-mode.test.yaml +126 -0
  37. package/rules/external/security/weak-encryption-mode.yaml +104 -0
  38. package/rules/external/security/weak-hash-algorithm.test.yaml +121 -0
  39. package/rules/external/security/weak-hash-algorithm.yaml +87 -0
  40. package/rules/external/security/xxe-parsing.test.yaml +76 -0
  41. package/rules/external/security/xxe-parsing.yaml +63 -0
  42. package/rules/internal/security/dangerous-eval.test.yaml +126 -0
  43. package/rules/internal/security/dangerous-eval.yaml +134 -0
  44. package/rules/internal/security/no-document-write.test.yaml +33 -0
  45. package/rules/internal/security/no-document-write.yaml +40 -0
  46. package/rules/internal/taint/MATRIX.md +16 -0
  47. package/rules/internal/taint/bash.test.yaml +84 -0
  48. package/rules/internal/taint/bash.yaml +166 -0
  49. package/rules/internal/taint/dvwa.test.yaml +217 -0
  50. package/rules/internal/taint/go.test.yaml +207 -0
  51. package/rules/internal/taint/go.yaml +325 -0
  52. package/rules/internal/taint/java.test.yaml +158 -0
  53. package/rules/internal/taint/java.yaml +318 -0
  54. package/rules/internal/taint/javascript.test.yaml +374 -0
  55. package/rules/internal/taint/javascript.yaml +439 -0
  56. package/rules/internal/taint/php.test.yaml +134 -0
  57. package/rules/internal/taint/php.yaml +331 -0
  58. package/rules/internal/taint/python.test.yaml +427 -0
  59. package/rules/internal/taint/python.yaml +636 -0
  60. package/rules/internal/taint/ruby.test.yaml +148 -0
  61. package/rules/internal/taint/ruby.yaml +233 -0
  62. package/rules/internal/taint/rust.test.yaml +585 -0
  63. package/rules/internal/taint/rust.yaml +483 -0
  64. package/rules/internal/taint/tsx.test.yaml +140 -0
  65. package/rules/internal/taint/tsx.yaml +51 -0
  66. package/rules/internal/taint/typescript.test.yaml +393 -0
  67. package/rules/internal/taint/typescript.yaml +660 -0
  68. package/wasm/tree-sitter-sql.wasm +0 -0
@@ -0,0 +1,660 @@
1
+ # attribution: CWE-79
2
+ # Server Actions ('use server'): file-scoped boundary — use pro/LLM checks; not modelled as intra-file taint here.
3
+ # zod/valibot: schema.parse / safeParse treated as manual sanitiser (no autofix).
4
+ attribution: CWE-79
5
+ language: typescript
6
+ applies-to: [tsx]
7
+
8
+ sources:
9
+ - id: req.body
10
+ class: http-body
11
+ query: |
12
+ (member_expression
13
+ object: (identifier) @obj
14
+ property: (property_identifier) @prop
15
+ (#eq? @obj "req")
16
+ (#eq? @prop "body")) @source
17
+
18
+ - id: req.query
19
+ class: http-params
20
+ query: |
21
+ (member_expression
22
+ object: (identifier) @obj
23
+ property: (property_identifier) @prop
24
+ (#eq? @obj "req")
25
+ (#eq? @prop "query")) @source
26
+
27
+ - id: req.params
28
+ class: http-params
29
+ query: |
30
+ (member_expression
31
+ object: (identifier) @obj
32
+ property: (property_identifier) @prop
33
+ (#eq? @obj "req")
34
+ (#eq? @prop "params")) @source
35
+
36
+ - id: req.headers
37
+ class: header
38
+ query: |
39
+ (member_expression
40
+ object: (identifier) @obj
41
+ property: (property_identifier) @prop
42
+ (#eq? @obj "req")
43
+ (#eq? @prop "headers")) @source
44
+
45
+ - id: req.cookies
46
+ class: cookie
47
+ query: |
48
+ (member_expression
49
+ object: (identifier) @obj
50
+ property: (property_identifier) @prop
51
+ (#eq? @obj "req")
52
+ (#eq? @prop "cookies")) @source
53
+
54
+ - id: fastify.request.body
55
+ class: http-body
56
+ query: |
57
+ (member_expression
58
+ object: (identifier) @obj
59
+ property: (property_identifier) @prop
60
+ (#eq? @obj "request")
61
+ (#eq? @prop "body")) @source
62
+
63
+ - id: fastify.request.query
64
+ class: http-params
65
+ query: |
66
+ (member_expression
67
+ object: (identifier) @obj
68
+ property: (property_identifier) @prop
69
+ (#eq? @obj "request")
70
+ (#eq? @prop "query")) @source
71
+
72
+ - id: fastify.request.params
73
+ class: http-params
74
+ query: |
75
+ (member_expression
76
+ object: (identifier) @obj
77
+ property: (property_identifier) @prop
78
+ (#eq? @obj "request")
79
+ (#eq? @prop "params")) @source
80
+
81
+ - id: hono.req.body
82
+ class: http-body
83
+ query: |
84
+ (member_expression
85
+ object: (member_expression
86
+ object: (identifier) @obj
87
+ property: (property_identifier) @reqProp
88
+ (#match? @obj "^(c|ctx)$")
89
+ (#eq? @reqProp "req"))
90
+ property: (property_identifier) @prop
91
+ (#eq? @prop "body")) @source
92
+
93
+ - id: hono.req.query
94
+ class: http-params
95
+ query: |
96
+ (member_expression
97
+ object: (member_expression
98
+ object: (identifier) @obj
99
+ property: (property_identifier) @reqProp
100
+ (#match? @obj "^(c|ctx)$")
101
+ (#eq? @reqProp "req"))
102
+ property: (property_identifier) @prop
103
+ (#match? @prop "^(query|param)$")) @source
104
+
105
+ - id: nest.decorator-body
106
+ class: http-body
107
+ query: |
108
+ (required_parameter
109
+ (decorator
110
+ (call_expression
111
+ function: (identifier) @dec
112
+ (#eq? @dec "Body")))
113
+ (identifier) @source)
114
+
115
+ - id: nest.decorator-query
116
+ class: http-params
117
+ query: |
118
+ (required_parameter
119
+ (decorator
120
+ (call_expression
121
+ function: (identifier) @dec
122
+ (#eq? @dec "Query")))
123
+ (identifier) @source)
124
+
125
+ - id: nest.decorator-param
126
+ class: http-params
127
+ query: |
128
+ (required_parameter
129
+ (decorator
130
+ (call_expression
131
+ function: (identifier) @dec
132
+ (#eq? @dec "Param")))
133
+ (identifier) @source)
134
+
135
+ - id: nest.decorator-headers
136
+ class: header
137
+ query: |
138
+ (required_parameter
139
+ (decorator
140
+ (call_expression
141
+ function: (identifier) @dec
142
+ (#eq? @dec "Headers")))
143
+ (identifier) @source)
144
+
145
+ - id: graphql.args
146
+ class: http-params
147
+ query: |
148
+ (required_parameter
149
+ (decorator
150
+ (call_expression
151
+ function: (identifier) @dec
152
+ (#eq? @dec "Args")))
153
+ (identifier) @source)
154
+
155
+ - id: websocket.message
156
+ class: http-body
157
+ query: |
158
+ (call_expression
159
+ function: (member_expression
160
+ property: (property_identifier) @method
161
+ (#eq? @method "on"))
162
+ arguments: (arguments
163
+ (string (string_fragment) @event)
164
+ (#eq? @event "message")
165
+ [
166
+ (arrow_function
167
+ parameters: (formal_parameters
168
+ (required_parameter (identifier) @source)))
169
+ (function_expression
170
+ parameters: (formal_parameters
171
+ (required_parameter (identifier) @source)))
172
+ ]))
173
+
174
+ - id: req.file.path
175
+ class: http-body
176
+ query: |
177
+ (member_expression
178
+ object: (member_expression
179
+ object: (identifier) @obj
180
+ property: (property_identifier) @fileProp
181
+ (#eq? @obj "req")
182
+ (#eq? @fileProp "file"))
183
+ property: (property_identifier) @prop
184
+ (#match? @prop "^(path|filename|originalname)$")) @source
185
+
186
+ - id: process.argv
187
+ class: process-argv
188
+ query: |
189
+ (member_expression
190
+ object: (identifier) @obj
191
+ property: (property_identifier) @prop
192
+ (#eq? @obj "process")
193
+ (#eq? @prop "argv")) @source
194
+
195
+ - id: process.env
196
+ class: env-var
197
+ query: |
198
+ (member_expression
199
+ object: (identifier) @obj
200
+ property: (property_identifier) @prop
201
+ (#eq? @obj "process")
202
+ (#eq? @prop "env")) @source
203
+
204
+ - id: fs.readFileSync
205
+ class: fs-read
206
+ query: |
207
+ (call_expression
208
+ function: (member_expression
209
+ object: (identifier) @obj
210
+ property: (property_identifier) @prop
211
+ (#eq? @obj "fs")
212
+ (#eq? @prop "readFileSync"))
213
+ arguments: (arguments (_) @source))
214
+
215
+ - id: fs.createReadStream
216
+ class: fs-read
217
+ query: |
218
+ (call_expression
219
+ function: (member_expression
220
+ object: (identifier) @obj
221
+ property: (property_identifier) @prop
222
+ (#eq? @obj "fs")
223
+ (#eq? @prop "createReadStream"))
224
+ arguments: (arguments (_) @source)) @match
225
+
226
+ - id: fetch-response-text
227
+ class: network-response
228
+ query: |
229
+ (call_expression
230
+ function: (identifier) @fetchFn
231
+ (#eq? @fetchFn "fetch")
232
+ arguments: (arguments (_) @source)) @match
233
+
234
+ - id: axios-get-response
235
+ class: network-response
236
+ query: |
237
+ (call_expression
238
+ function: (member_expression
239
+ object: (identifier) @obj
240
+ property: (property_identifier) @method
241
+ (#eq? @obj "axios")
242
+ (#eq? @method "get"))
243
+ arguments: (arguments (_) @source)) @match
244
+
245
+ sinks:
246
+ - id: eval
247
+ sink-class: code-execution
248
+ query: |
249
+ (call_expression
250
+ function: (identifier) @func
251
+ (#eq? @func "eval")
252
+ arguments: (arguments (_) @sink)) @match
253
+
254
+ - id: Function
255
+ sink-class: code-execution
256
+ query: |
257
+ (new_expression
258
+ constructor: (identifier) @func
259
+ (#eq? @func "Function")
260
+ arguments: (arguments (_) @sink)) @match
261
+
262
+ - id: vm.runInNewContext
263
+ sink-class: code-execution
264
+ query: |
265
+ (call_expression
266
+ function: (member_expression
267
+ object: (identifier) @obj
268
+ property: (property_identifier) @prop
269
+ (#eq? @obj "vm")
270
+ (#eq? @prop "runInNewContext"))
271
+ arguments: (arguments (_) @sink)) @match
272
+
273
+ - id: res.send
274
+ sink-class: xss
275
+ query: |
276
+ (call_expression
277
+ function: (member_expression
278
+ object: (identifier) @obj
279
+ property: (property_identifier) @prop
280
+ (#eq? @obj "res")
281
+ (#eq? @prop "send"))
282
+ arguments: (arguments (_) @sink)) @match
283
+
284
+ - id: res.write
285
+ sink-class: xss
286
+ query: |
287
+ (call_expression
288
+ function: (member_expression
289
+ object: (identifier) @obj
290
+ property: (property_identifier) @prop
291
+ (#eq? @obj "res")
292
+ (#eq? @prop "write"))
293
+ arguments: (arguments (_) @sink)) @match
294
+
295
+ - id: res.json
296
+ sink-class: xss
297
+ query: |
298
+ (call_expression
299
+ function: (member_expression
300
+ object: (identifier) @obj
301
+ property: (property_identifier) @prop
302
+ (#eq? @obj "res")
303
+ (#eq? @prop "json"))
304
+ arguments: (arguments (_) @sink)) @match
305
+
306
+ - id: innerHTML
307
+ sink-class: xss
308
+ query: |
309
+ (assignment_expression
310
+ left: (member_expression
311
+ property: (property_identifier) @prop
312
+ (#eq? @prop "innerHTML"))
313
+ right: (_) @sink) @match
314
+
315
+ - id: db.query
316
+ sink-class: sql-injection
317
+ query: |
318
+ (call_expression
319
+ function: (member_expression
320
+ object: (identifier) @obj
321
+ property: (property_identifier) @prop
322
+ (#eq? @obj "db")
323
+ (#eq? @prop "query"))
324
+ arguments: (arguments (_) @sink)) @match
325
+
326
+ - id: connection.execute
327
+ sink-class: sql-injection
328
+ query: |
329
+ (call_expression
330
+ function: (member_expression
331
+ object: (identifier) @obj
332
+ property: (property_identifier) @prop
333
+ (#eq? @obj "connection")
334
+ (#eq? @prop "execute"))
335
+ arguments: (arguments (_) @sink)) @match
336
+
337
+ - id: sequelize.query
338
+ sink-class: sql-injection
339
+ query: |
340
+ (call_expression
341
+ function: (member_expression
342
+ object: (member_expression)
343
+ property: (property_identifier) @prop
344
+ (#eq? @prop "query"))
345
+ arguments: (arguments (_) @sink)) @match
346
+
347
+ - id: Model.find-$where
348
+ sink-class: sql-injection
349
+ query: |
350
+ (call_expression
351
+ function: (member_expression
352
+ property: (property_identifier) @method
353
+ (#eq? @method "find"))
354
+ arguments: (arguments (object (pair
355
+ key: (property_identifier) @key
356
+ (#eq? @key "$where")
357
+ value: (_) @sink)))) @match
358
+
359
+ - id: template-literal-sql
360
+ sink-class: sql-injection
361
+ query: |
362
+ (call_expression
363
+ function: (member_expression
364
+ property: (property_identifier) @method
365
+ (#match? @method "^(query|execute|raw)$"))
366
+ arguments: (arguments (template_string) @sink (#match? @sink "SELECT|INSERT|UPDATE|DELETE|UNION")))
367
+
368
+ - id: child_process.exec
369
+ sink-class: command-injection
370
+ query: |
371
+ (call_expression
372
+ function: (member_expression
373
+ object: (identifier) @obj
374
+ property: (property_identifier) @prop
375
+ (#eq? @obj "child_process")
376
+ (#eq? @prop "exec"))
377
+ arguments: (arguments (_) @sink)) @match
378
+
379
+ - id: child_process.execSync
380
+ sink-class: command-injection
381
+ query: |
382
+ (call_expression
383
+ function: (member_expression
384
+ object: (identifier) @obj
385
+ property: (property_identifier) @prop
386
+ (#eq? @obj "child_process")
387
+ (#eq? @prop "execSync"))
388
+ arguments: (arguments (_) @sink)) @match
389
+
390
+ - id: child_process.spawn
391
+ sink-class: command-injection
392
+ query: |
393
+ (call_expression
394
+ function: (member_expression
395
+ object: (identifier) @obj
396
+ property: (property_identifier) @prop
397
+ (#eq? @obj "child_process")
398
+ (#match? @prop "^(spawn|execFile)$"))
399
+ arguments: (arguments (_) @sink)) @match
400
+
401
+ - id: prisma.queryRaw
402
+ sink-class: sql-injection
403
+ query: |
404
+ (call_expression
405
+ function: (member_expression
406
+ object: (identifier) @obj
407
+ property: (property_identifier) @prop
408
+ (#eq? @obj "prisma")
409
+ (#match? @prop "^\\$queryRaw$|^\\$executeRaw$"))
410
+ arguments: (arguments (_) @sink)) @match
411
+
412
+ - id: exec
413
+ sink-class: command-injection
414
+ query: |
415
+ (call_expression
416
+ function: (identifier) @func
417
+ (#eq? @func "exec")
418
+ arguments: (arguments (_) @sink)) @match
419
+
420
+ - id: fs.readFile-path
421
+ sink-class: path-traversal
422
+ query: |
423
+ (call_expression
424
+ function: (member_expression
425
+ object: (identifier) @obj
426
+ property: (property_identifier) @prop
427
+ (#eq? @obj "fs")
428
+ (#eq? @prop "readFile"))
429
+ arguments: (arguments (_) @sink)) @match
430
+
431
+ - id: fs.writeFile-path
432
+ sink-class: path-traversal
433
+ query: |
434
+ (call_expression
435
+ function: (member_expression
436
+ object: (identifier) @obj
437
+ property: (property_identifier) @prop
438
+ (#eq? @obj "fs")
439
+ (#eq? @prop "writeFile"))
440
+ arguments: (arguments (_) @sink)) @match
441
+
442
+ - id: res.sendFile
443
+ sink-class: path-traversal
444
+ query: |
445
+ (call_expression
446
+ function: (member_expression
447
+ object: (identifier) @obj
448
+ property: (property_identifier) @prop
449
+ (#eq? @obj "res")
450
+ (#eq? @prop "sendFile"))
451
+ arguments: (arguments (_) @sink)) @match
452
+
453
+ - id: res.download
454
+ sink-class: path-traversal
455
+ query: |
456
+ (call_expression
457
+ function: (member_expression
458
+ object: (identifier) @obj
459
+ property: (property_identifier) @prop
460
+ (#eq? @obj "res")
461
+ (#eq? @prop "download"))
462
+ arguments: (arguments (_) @sink)) @match
463
+
464
+ - id: express.static
465
+ sink-class: path-traversal
466
+ query: |
467
+ (call_expression
468
+ function: (member_expression
469
+ object: (identifier) @obj
470
+ property: (property_identifier) @prop
471
+ (#eq? @obj "express")
472
+ (#eq? @prop "static"))
473
+ arguments: (arguments (_) @sink)) @match
474
+
475
+ - id: res.redirect
476
+ sink-class: url-injection
477
+ query: |
478
+ (call_expression
479
+ function: (member_expression
480
+ object: (identifier) @obj
481
+ property: (property_identifier) @prop
482
+ (#eq? @obj "res")
483
+ (#eq? @prop "redirect"))
484
+ arguments: (arguments (_) @sink)) @match
485
+
486
+ - id: location.href
487
+ sink-class: url-injection
488
+ query: |
489
+ (assignment_expression
490
+ left: (member_expression
491
+ object: (member_expression
492
+ property: (property_identifier) @locProp
493
+ (#eq? @locProp "location"))
494
+ property: (property_identifier) @hrefProp
495
+ (#eq? @hrefProp "href"))
496
+ right: (_) @sink) @match
497
+
498
+ - id: Object.assign-pollution
499
+ sink-class: prototype-pollution
500
+ query: |
501
+ (call_expression
502
+ function: (member_expression
503
+ object: (identifier) @obj
504
+ property: (property_identifier) @prop
505
+ (#eq? @obj "Object")
506
+ (#eq? @prop "assign"))
507
+ arguments: (arguments (_) @first (_) @sink)) @match
508
+
509
+ - id: merge-deep
510
+ sink-class: prototype-pollution
511
+ query: |
512
+ (call_expression
513
+ function: (identifier) @func
514
+ (#match? @func "^(merge|extend|mergeDeep)$")
515
+ arguments: (arguments (_) @first (_) @sink)) @match
516
+
517
+ - id: fs.promises.readFile
518
+ sink-class: path-traversal
519
+ query: |
520
+ (call_expression
521
+ function: (member_expression
522
+ object: (member_expression
523
+ object: (identifier) @fs
524
+ property: (property_identifier) @prom
525
+ (#eq? @fs "fs")
526
+ (#eq? @prom "promises"))
527
+ property: (property_identifier) @method
528
+ (#match? @method "^(readFile|writeFile|open)$"))
529
+ arguments: (arguments (_) @sink)) @match
530
+
531
+ - id: next.redirect
532
+ sink-class: url-injection
533
+ query: |
534
+ (call_expression
535
+ function: (identifier) @fn
536
+ (#eq? @fn "redirect")
537
+ arguments: (arguments (_) @sink)) @match
538
+
539
+ - id: NextResponse.redirect
540
+ sink-class: url-injection
541
+ query: |
542
+ (call_expression
543
+ function: (member_expression
544
+ object: (identifier) @obj
545
+ property: (property_identifier) @prop
546
+ (#eq? @obj "NextResponse")
547
+ (#eq? @prop "redirect"))
548
+ arguments: (arguments (_) @sink)) @match
549
+
550
+ - id: drizzle-sql
551
+ sink-class: sql-injection
552
+ query: |
553
+ (call_expression
554
+ function: (identifier) @fn
555
+ (#eq? @fn "sql")
556
+ arguments: (arguments (template_string (template_substitution (_) @sink)))) @match
557
+
558
+ - id: kysely-sql
559
+ sink-class: sql-injection
560
+ query: |
561
+ (call_expression
562
+ function: (member_expression
563
+ property: (property_identifier) @prop
564
+ (#eq? @prop "sql"))
565
+ arguments: (arguments (template_string) @sink)) @match
566
+
567
+ sanitisers:
568
+ - id: encodeURIComponent
569
+ sanitises: [xss, url-injection]
570
+ autofix-safety: global
571
+ query: |
572
+ (call_expression
573
+ function: (identifier) @func
574
+ (#eq? @func "encodeURIComponent")) @sanitiser
575
+
576
+ - id: JSON.stringify
577
+ sanitises: [xss]
578
+ autofix-safety: global
579
+ query: |
580
+ (call_expression
581
+ function: (member_expression
582
+ object: (identifier) @obj
583
+ property: (property_identifier) @prop
584
+ (#eq? @obj "JSON")
585
+ (#eq? @prop "stringify"))) @sanitiser
586
+
587
+ - id: parameterised-query
588
+ sanitises: [sql-injection]
589
+ query: |
590
+ (call_expression
591
+ function: (member_expression
592
+ property: (property_identifier) @prop
593
+ (#match? @prop "^(query|execute|run)$"))
594
+ arguments: (arguments . (_) @first . (template_string) @params)) @sanitiser
595
+
596
+ - id: parameterised-query-placeholder
597
+ sanitises: [sql-injection]
598
+ query: |
599
+ (call_expression
600
+ function: (member_expression
601
+ property: (property_identifier) @prop
602
+ (#match? @prop "^(query|execute|run)$"))
603
+ arguments: (arguments . (_) @first . (array) @params)) @sanitiser
604
+
605
+ - id: escape-shell-arg
606
+ sanitises: [command-injection]
607
+ query: |
608
+ (call_expression
609
+ function: (member_expression
610
+ property: (property_identifier) @prop
611
+ (#match? @prop "^(escapeShellArg|shellEscape|quote)$"))) @sanitiser
612
+
613
+ - id: Object.freeze-pollution
614
+ sanitises: [prototype-pollution]
615
+ query: |
616
+ (call_expression
617
+ function: (member_expression
618
+ object: (identifier) @obj
619
+ property: (property_identifier) @prop
620
+ (#eq? @obj "Object")
621
+ (#eq? @prop "freeze"))) @sanitiser
622
+
623
+ - id: DOMPurify.sanitize
624
+ sanitises: [xss]
625
+ autofix-safety: requires-import
626
+ query: |
627
+ (call_expression
628
+ function: (member_expression
629
+ object: (identifier) @obj
630
+ property: (property_identifier) @prop
631
+ (#eq? @obj "DOMPurify")
632
+ (#eq? @prop "sanitize"))) @sanitiser
633
+
634
+ - id: path.resolve
635
+ sanitises: [path-traversal]
636
+ query: |
637
+ (call_expression
638
+ function: (member_expression
639
+ object: (identifier) @obj
640
+ property: (property_identifier) @prop
641
+ (#eq? @obj "path")
642
+ (#eq? @prop "resolve"))) @sanitiser
643
+
644
+ - id: zod.parse
645
+ sanitises: [xss, sql-injection, command-injection, path-traversal, url-injection, prototype-pollution, code-execution]
646
+ autofix-safety: manual
647
+ query: |
648
+ (call_expression
649
+ function: (member_expression
650
+ property: (property_identifier) @prop
651
+ (#match? @prop "^(parse|safeParse)$"))) @sanitiser
652
+
653
+ - id: valibot.parse
654
+ sanitises: [xss, sql-injection, command-injection, path-traversal, url-injection, prototype-pollution, code-execution]
655
+ autofix-safety: manual
656
+ query: |
657
+ (call_expression
658
+ function: (member_expression
659
+ property: (property_identifier) @prop
660
+ (#match? @prop "^(parse|safeParse)$"))) @sanitiser
Binary file