secure-review-extension 1.0.0

package/src/scanners/static-rules.js

@@ -0,0 +1,497 @@
+const STATIC_RULES = [
+  {
+    id: "hardcoded-secret",
+    title: "Hard-coded secret or credential material",
+    severity: "critical",
+    confidence: "high",
+    category: "Secrets",
+    subcategory: "Credential Exposure",
+    reviewDomain: "security",
+    regex: /(api[_-]?key|secret|token|password|passwd|client_secret)\s*[:=]\s*["'][^"']{8,}["']/gi,
+    remediation: "Move the secret to environment variables or a secret manager and rotate the exposed credential.",
+    suggestion: "Centralize secret access through environment-backed configuration or a dedicated secrets manager.",
+    whyItMatters: "Hard-coded credentials can be extracted from source control and abused for unauthorized access.",
+    standards: ["CWE-798", "OWASP:A07"]
+  },
+  {
+    id: "aws-access-key",
+    title: "AWS access key pattern found in source",
+    severity: "critical",
+    confidence: "high",
+    category: "Secrets",
+    subcategory: "Cloud Credential Exposure",
+    reviewDomain: "security",
+    regex: /\bAKIA[0-9A-Z]{16}\b/g,
+    remediation: "Rotate the key immediately and remove it from source control.",
+    suggestion: "Use short-lived cloud credentials and never persist them in workspace files.",
+    whyItMatters: "Exposed cloud credentials can lead to infrastructure compromise and privilege abuse.",
+    standards: ["CWE-798", "OWASP:A07"]
+  },
+  {
+    id: "weak-crypto",
+    title: "Weak cryptographic algorithm usage",
+    severity: "high",
+    confidence: "high",
+    category: "Crypto",
+    subcategory: "Weak Hashing",
+    reviewDomain: "security",
+    regex: /\b(md5|sha1)\b/gi,
+    remediation: "Use modern algorithms such as SHA-256 or stronger password hashing like bcrypt, scrypt, or Argon2.",
+    suggestion: "Replace weak hashes and audit any existing stored values or compatibility assumptions.",
+    whyItMatters: "Weak cryptography can allow attackers to forge values or crack secrets more efficiently.",
+    standards: ["CWE-327", "OWASP:A02"]
+  },
+  {
+    id: "eval-usage",
+    title: "Dynamic code execution sink",
+    severity: "high",
+    confidence: "high",
+    category: "Code Execution",
+    subcategory: "Unsafe Execution",
+    reviewDomain: "security",
+    regex: /\b(eval|new Function|execSync|spawnSync|Runtime\.getRuntime\(\)\.exec)\s*\(/g,
+    remediation: "Avoid dynamic execution. Replace with safe, explicit logic or strict allowlisting.",
+    suggestion: "Refactor away from string-based execution and use structured command or function dispatch.",
+    whyItMatters: "Dynamic execution can become command or code injection when input is attacker influenced.",
+    standards: ["CWE-94", "OWASP:A03"]
+  },
+  {
+    id: "sql-concat",
+    title: "Possible SQL query built by concatenation",
+    severity: "high",
+    confidence: "medium",
+    category: "Injection",
+    subcategory: "SQL Injection",
+    reviewDomain: "security",
+    regex: /(SELECT|INSERT|UPDATE|DELETE)[\s\S]{0,120}(\+|\$\{|format\(|f["'])/gi,
+    remediation: "Use parameterized queries or ORM-bound parameters instead of string concatenation.",
+    suggestion: "Adopt parameter binding in all repository or database access layers.",
+    whyItMatters: "String-built queries are a common source of SQL injection vulnerabilities.",
+    standards: ["CWE-89", "OWASP:A03"]
+  },
+  {
+    id: "xss-innerhtml",
+    title: "Potential HTML injection via innerHTML",
+    severity: "medium",
+    confidence: "high",
+    category: "XSS",
+    subcategory: "Unsafe DOM Injection",
+    reviewDomain: "security",
+    regex: /\.innerHTML\s*=/g,
+    remediation: "Prefer textContent or sanitize untrusted HTML before rendering.",
+    suggestion: "Use safe rendering primitives and sanitize any trusted HTML fragments explicitly.",
+    whyItMatters: "Unsafe HTML insertion can allow script execution in the browser.",
+    standards: ["CWE-79", "OWASP:A03"]
+  },
+  {
+    id: "dangerously-set-html",
+    title: "React dangerouslySetInnerHTML usage",
+    severity: "medium",
+    confidence: "medium",
+    category: "XSS",
+    subcategory: "Unsafe Rendering",
+    reviewDomain: "security",
+    regex: /dangerouslySetInnerHTML/g,
+    remediation: "Ensure the HTML is fully sanitized and trusted, or avoid HTML injection entirely.",
+    suggestion: "Render structured UI components instead of raw HTML where possible.",
+    whyItMatters: "Raw HTML injection expands the attack surface for XSS and content spoofing.",
+    standards: ["CWE-79", "OWASP:A03"]
+  },
+  {
+    id: "insecure-random",
+    title: "Non-cryptographic randomness in security-sensitive context",
+    severity: "medium",
+    confidence: "medium",
+    category: "Crypto",
+    subcategory: "Weak Randomness",
+    reviewDomain: "security",
+    regex: /\bMath\.random\s*\(/g,
+    remediation: "Use a cryptographically secure random source for secrets, tokens, or identifiers.",
+    suggestion: "Switch to crypto-secure randomness such as crypto.randomBytes or platform equivalents.",
+    whyItMatters: "Predictable randomness can weaken tokens, reset links, or other security-sensitive values.",
+    standards: ["CWE-338", "OWASP:A02"]
+  },
+  {
+    id: "path-traversal",
+    title: "User-controlled file path construction",
+    severity: "high",
+    confidence: "medium",
+    category: "File Handling",
+    subcategory: "Path Traversal",
+    reviewDomain: "security",
+    regex: /(readFile|writeFile|open|sendFile|File\(|open\().{0,120}(req\.(params|query|body)|input|userInput)/gi,
+    remediation: "Validate and normalize file paths against a strict allowlist before file access.",
+    suggestion: "Use fixed base directories and reject `..`, absolute paths, and unexpected extensions.",
+    whyItMatters: "Unvalidated file paths can allow attackers to read or overwrite arbitrary files.",
+    standards: ["CWE-22", "OWASP:A01"]
+  },
+  {
+    id: "ssrf-url",
+    title: "Potential server-side request using untrusted URL input",
+    severity: "high",
+    confidence: "medium",
+    category: "Network Access",
+    subcategory: "SSRF",
+    reviewDomain: "security",
+    regex: /(fetch|axios|get|post|request|http\.request|https\.request)\(.{0,100}(req\.(query|body|params)|url|userInput|input)/gi,
+    remediation: "Validate outbound destinations against a strict allowlist and block internal address ranges.",
+    suggestion: "Centralize outbound HTTP through a vetted client with destination validation.",
+    whyItMatters: "Attacker-controlled URLs can be used to reach internal services or metadata endpoints.",
+    standards: ["CWE-918", "OWASP:A10"]
+  },
+  {
+    id: "unsafe-deserialization",
+    title: "Unsafe deserialization pattern",
+    severity: "high",
+    confidence: "medium",
+    category: "Serialization",
+    subcategory: "Deserialization",
+    reviewDomain: "security",
+    regex: /\b(pickle\.loads|yaml\.load\(|ObjectInputStream|BinaryFormatter|unserialize\()\b/gi,
+    remediation: "Use safe parsing APIs and never deserialize untrusted input into executable object graphs.",
+    suggestion: "Prefer JSON or schema-validated safe formats for untrusted data interchange.",
+    whyItMatters: "Unsafe deserialization can lead to remote code execution or privilege abuse.",
+    standards: ["CWE-502", "OWASP:A08"]
+  },
+  {
+    id: "debug-log",
+    title: "Verbose logging may expose sensitive data",
+    severity: "low",
+    confidence: "medium",
+    category: "Logging",
+    subcategory: "Sensitive Logging",
+    reviewDomain: "security",
+    regex: /\b(console\.log|print_r|var_dump|System\.out\.println|logger\.debug)\b/g,
+    remediation: "Review logs for sensitive material and gate debug logging by environment.",
+    suggestion: "Use structured logging with data redaction and environment-controlled verbosity.",
+    whyItMatters: "Verbose logs can leak credentials, tokens, or PII into log stores.",
+    standards: ["CWE-532", "OWASP:A09"]
+  },
+  {
+    id: "missing-auth-check",
+    title: "Sensitive route may lack an authorization guard",
+    severity: "high",
+    confidence: "low",
+    category: "Authorization",
+    subcategory: "Access Control",
+    reviewDomain: "security",
+    regex: /(router\.(get|post|put|delete)|app\.(get|post|put|delete)|@Get|@Post).{0,120}(admin|export|delete|update|account)/gi,
+    remediation: "Verify that sensitive routes enforce authentication and resource-level authorization.",
+    suggestion: "Add explicit authz middleware or decorators close to the route definition.",
+    whyItMatters: "Missing or inconsistent access control is a frequent cause of privilege escalation.",
+    standards: ["CWE-862", "OWASP:A01"]
+  },
+  {
+    id: "open-cors",
+    title: "Overly permissive CORS configuration",
+    severity: "medium",
+    confidence: "medium",
+    category: "Configuration",
+    subcategory: "CORS",
+    reviewDomain: "security",
+    regex: /(Access-Control-Allow-Origin['"]?\s*[:=]\s*['"]\*['"]|cors\(\s*\{?\s*origin:\s*['"]\*['"])/gi,
+    remediation: "Restrict CORS origins to trusted domains and avoid wildcard access for sensitive endpoints.",
+    suggestion: "Use environment-specific trusted origin lists instead of permissive defaults.",
+    whyItMatters: "Permissive CORS can expose sensitive APIs to unintended web origins.",
+    standards: ["CWE-942", "OWASP:A05"]
+  },
+  {
+    id: "open-redirect",
+    title: "Potential open redirect using untrusted input",
+    severity: "medium",
+    confidence: "medium",
+    category: "Validation",
+    subcategory: "Open Redirect",
+    reviewDomain: "security",
+    regex: /(redirect|Response\.Redirect|res\.redirect)\(.{0,100}(req\.(query|body|params)|next|redirect|returnUrl|url)/gi,
+    remediation: "Validate redirect destinations against a strict allowlist or restrict redirects to relative internal paths.",
+    suggestion: "Normalize redirect targets and reject external or attacker-controlled URLs.",
+    whyItMatters: "Open redirects can be abused in phishing flows or chained with other attacks.",
+    standards: ["CWE-601", "OWASP:A01"]
+  },
+  {
+    id: "cookie-insecure",
+    title: "Session cookie appears to disable secure attributes",
+    severity: "high",
+    confidence: "medium",
+    category: "Session Management",
+    subcategory: "Cookie Security",
+    reviewDomain: "security",
+    regex: /(httpOnly\s*:\s*false|secure\s*:\s*false|sameSite\s*:\s*false|SameSite=None(?!; Secure))/gi,
+    remediation: "Enable HttpOnly, Secure, and an appropriate SameSite policy for sensitive cookies.",
+    suggestion: "Centralize session cookie defaults and make secure flags the default baseline.",
+    whyItMatters: "Weak cookie flags increase the risk of session theft, CSRF abuse, and client-side access to session data.",
+    standards: ["CWE-614", "OWASP:A07"]
+  },
+  {
+    id: "csrf-risk",
+    title: "State-changing endpoint may be missing CSRF protections",
+    severity: "medium",
+    confidence: "low",
+    category: "Session Management",
+    subcategory: "CSRF",
+    reviewDomain: "security",
+    regex: /(router\.(post|put|patch|delete)|app\.(post|put|patch|delete)|@Post|@Put|@Delete).{0,160}(cookie|session|csrf|auth)/gi,
+    remediation: "Verify anti-CSRF protections for cookie-based authenticated state-changing requests.",
+    suggestion: "Add CSRF tokens, SameSite protections, or stateless auth patterns where appropriate.",
+    whyItMatters: "Cookie-authenticated write endpoints are often exposed to CSRF if no explicit protection exists.",
+    standards: ["CWE-352", "OWASP:A01"]
+  },
+  {
+    id: "file-upload-any",
+    title: "File upload handler may lack validation limits",
+    severity: "medium",
+    confidence: "medium",
+    category: "File Handling",
+    subcategory: "Upload Validation",
+    reviewDomain: "security",
+    regex: /\b(upload\.any\(|multer\(\)|request\.files|req\.files|IFormFile|MultipartFile)\b/gi,
+    remediation: "Validate file type, size, storage path, and scanning requirements for uploads.",
+    suggestion: "Use explicit upload allowlists and enforce storage and content validation before processing.",
+    whyItMatters: "Unrestricted file upload paths can lead to malware upload, storage abuse, or unsafe file processing.",
+    standards: ["CWE-434", "OWASP:A05"]
+  },
+  {
+    id: "redos-risk",
+    title: "Regular expression may be vulnerable to catastrophic backtracking",
+    severity: "medium",
+    confidence: "low",
+    category: "Validation",
+    subcategory: "ReDoS",
+    reviewDomain: "security",
+    regex: /\/(\([^/]*[+*][^/]*\))[+*][^/]*\//g,
+    remediation: "Review the expression for nested quantifiers and use bounded or linear-time patterns.",
+    suggestion: "Prefer simpler regexes, input length limits, or safer parsers on untrusted input paths.",
+    whyItMatters: "Catastrophic backtracking can create denial-of-service conditions on crafted input.",
+    standards: ["CWE-1333", "OWASP:A10"]
+  },
+  {
+    id: "unsafe-redirect-param",
+    title: "Redirect or return URL parameter detected",
+    severity: "low",
+    confidence: "low",
+    category: "Validation",
+    subcategory: "Redirect Flow",
+    reviewDomain: "security",
+    regex: /\b(returnUrl|redirectUri|redirect_url|nextUrl|continueUrl)\b/g,
+    remediation: "Review redirect parameters and validate them against trusted application routes.",
+    suggestion: "Model redirect state with opaque route identifiers rather than raw URLs.",
+    whyItMatters: "Redirect parameters are a common source of open redirect and login flow abuse.",
+    standards: ["Review Heuristic"]
+  },
+  {
+    id: "todo-security",
+    title: "Security-sensitive TODO or FIXME marker",
+    severity: "low",
+    confidence: "medium",
+    category: "Maintainability",
+    subcategory: "Deferred Security Work",
+    reviewDomain: "maintainability",
+    regex: /\b(TODO|FIXME|HACK|TEMP)\b.{0,80}(auth|security|token|password|sanitize|validate|encrypt)/gi,
+    remediation: "Resolve or track the deferred security-sensitive work before release.",
+    suggestion: "Convert critical TODOs into tickets with owners and release blocking decisions.",
+    whyItMatters: "Deferred security work often becomes permanent production risk.",
+    standards: ["Internal Review"]
+  },
+  {
+    id: "deprecated-request-lib",
+    title: "Deprecated or risky library usage pattern",
+    severity: "medium",
+    confidence: "medium",
+    category: "Outdated Practices",
+    subcategory: "Deprecated Dependency Pattern",
+    reviewDomain: "outdated-practices",
+    regex: /\brequire\(['"]request['"]\)|from ['"]request['"]/g,
+    remediation: "Replace deprecated libraries with supported alternatives and review their security posture.",
+    suggestion: "Migrate to maintained HTTP client libraries and update surrounding error handling.",
+    whyItMatters: "Deprecated dependencies often miss security fixes and drag outdated patterns into the codebase.",
+    standards: ["Maintenance"]
+  },
+  {
+    id: "broad-catch",
+    title: "Broad exception handling without meaningful action",
+    severity: "medium",
+    confidence: "medium",
+    category: "Reliability",
+    subcategory: "Error Handling",
+    reviewDomain: "reliability",
+    regex: /(catch\s*\(\s*[a-zA-Z_][a-zA-Z0-9_]*\s*\)\s*\{\s*(return|null|pass|\/\/|$)|except\s+Exception\s*:\s*(pass|return))/gmi,
+    remediation: "Handle expected errors explicitly and log or surface unexpected failures.",
+    suggestion: "Catch narrower exception types and preserve actionable failure context.",
+    whyItMatters: "Broad catch blocks can hide broken behavior and make incident response difficult.",
+    standards: ["Reliability Review"]
+  },
+  {
+    id: "silent-promise",
+    title: "Promise chain may suppress failures",
+    severity: "medium",
+    confidence: "medium",
+    category: "Reliability",
+    subcategory: "Async Error Handling",
+    reviewDomain: "reliability",
+    regex: /\.catch\s*\(\s*\(\s*\)\s*=>\s*\{\s*\}\s*\)|\.catch\s*\(\s*console\.log\s*\)/g,
+    remediation: "Handle promise failures explicitly and preserve enough context for debugging or recovery.",
+    suggestion: "Propagate or log actionable errors instead of swallowing them in empty catch handlers.",
+    whyItMatters: "Suppressed async failures can create data loss, silent corruption, or missing alerts.",
+    standards: ["Reliability Review"]
+  },
+  {
+    id: "missing-timeout",
+    title: "Outbound network call may lack a timeout",
+    severity: "medium",
+    confidence: "low",
+    category: "Reliability",
+    subcategory: "Timeout Handling",
+    reviewDomain: "reliability",
+    regex: /(fetch|axios\.get|axios\.post|requests\.(get|post)|http\.request|https\.request)\(/gi,
+    remediation: "Set explicit timeouts and failure handling for outbound network dependencies.",
+    suggestion: "Wrap remote calls in a helper that enforces timeouts, retries, and circuit-breaking rules.",
+    whyItMatters: "Unbounded waits on remote calls can degrade throughput and make failures cascade.",
+    standards: ["Reliability Review"]
+  },
+  {
+    id: "blocking-io",
+    title: "Blocking synchronous I/O on an application path",
+    severity: "medium",
+    confidence: "medium",
+    category: "Performance",
+    subcategory: "Blocking Operation",
+    reviewDomain: "performance",
+    regex: /\b(readFileSync|writeFileSync|execSync|spawnSync)\b/g,
+    remediation: "Prefer async I/O for request-handling or interactive code paths.",
+    suggestion: "Move heavy or blocking work off the main execution path.",
+    whyItMatters: "Blocking operations reduce throughput and can amplify latency under load.",
+    standards: ["Performance Review"]
+  },
+  {
+    id: "n-plus-one-heuristic",
+    title: "Loop may trigger repeated database or network access",
+    severity: "medium",
+    confidence: "low",
+    category: "Performance",
+    subcategory: "Repeated I/O",
+    reviewDomain: "performance",
+    regex: /(for\s*\(|forEach\s*\(|while\s*\().{0,220}(find\(|select\(|query\(|fetch\(|axios\.|requests\.)/gis,
+    remediation: "Batch related queries or requests outside loops where possible.",
+    suggestion: "Review the loop for N+1 behavior and add caching or prefetching if needed.",
+    whyItMatters: "Repeated I/O in loops can create severe latency and database pressure in production.",
+    standards: ["Performance Review"]
+  },
+  {
+    id: "inefficient-render-map-key",
+    title: "Frontend list rendering may be using unstable keys",
+    severity: "low",
+    confidence: "medium",
+    category: "Frontend",
+    subcategory: "Rendering Stability",
+    reviewDomain: "quality",
+    regex: /key=\{(index|i)\}/g,
+    remediation: "Use stable domain identifiers for list keys rather than indexes.",
+    suggestion: "Prefer persistent IDs from the data model to reduce render bugs and stale state.",
+    whyItMatters: "Unstable keys can produce rendering glitches, stale state, and hard-to-trace UI bugs.",
+    standards: ["Frontend Review"]
+  },
+  {
+    id: "accessibility-click-only",
+    title: "Interactive element may be missing keyboard semantics",
+    severity: "low",
+    confidence: "medium",
+    category: "Frontend",
+    subcategory: "Accessibility",
+    reviewDomain: "quality",
+    regex: /<(div|span)[^>]+onClick=/g,
+    remediation: "Use semantic interactive elements or add keyboard handlers and accessibility roles.",
+    suggestion: "Prefer buttons and links over generic clickable containers.",
+    whyItMatters: "Non-semantic interactivity often creates keyboard and assistive technology issues.",
+    standards: ["Accessibility Review"]
+  },
+  {
+    id: "nested-complexity",
+    title: "Deeply nested control flow may be hard to maintain",
+    severity: "low",
+    confidence: "low",
+    category: "Code Quality",
+    subcategory: "Complexity",
+    reviewDomain: "quality",
+    regex: /(if\s*\([^\n]+\)\s*\{[\s\S]{0,200}if\s*\([^\n]+\)\s*\{[\s\S]{0,200}if\s*\([^\n]+\))/g,
+    remediation: "Simplify control flow, extract helpers, and use guard clauses.",
+    suggestion: "Refactor nested logic into smaller units with explicit responsibilities.",
+    whyItMatters: "Highly nested logic is harder to test, review, and secure correctly.",
+    standards: ["Maintainability Review"]
+  },
+  {
+    id: "large-function",
+    title: "Long function may be difficult to review and maintain",
+    severity: "low",
+    confidence: "low",
+    category: "Maintainability",
+    subcategory: "Large Unit",
+    reviewDomain: "maintainability",
+    regex: /(function\s+[a-zA-Z0-9_]+\s*\([^)]*\)\s*\{[\s\S]{800,}|def\s+[a-zA-Z0-9_]+\s*\([^)]*\)\s*:[\s\S]{800,})/g,
+    remediation: "Break large routines into smaller focused units with clearer responsibilities.",
+    suggestion: "Extract validation, transformation, and side-effect code into named helpers.",
+    whyItMatters: "Large functions are harder to reason about, test, and secure correctly.",
+    standards: ["Maintainability Review"]
+  },
+  {
+    id: "magic-number-threshold",
+    title: "Repeated magic numeric literals detected",
+    severity: "low",
+    confidence: "low",
+    category: "Code Quality",
+    subcategory: "Magic Values",
+    reviewDomain: "quality",
+    regex: /(^|[^\w])(86400|3600|1000|9999|65535)([^\w]|$)/g,
+    remediation: "Replace unexplained numeric literals with named constants or configuration values.",
+    suggestion: "Document the meaning of thresholds, limits, and protocol values explicitly.",
+    whyItMatters: "Magic values make correctness and policy reasoning harder during maintenance.",
+    standards: ["Code Quality Review"]
+  },
+  {
+    id: "missing-tests-heuristic",
+    title: "Critical module may lack nearby automated tests",
+    severity: "medium",
+    confidence: "low",
+    category: "Testing",
+    subcategory: "Coverage Gap",
+    reviewDomain: "testing",
+    regex: /\b(auth|authorize|token|password|payment|transfer|admin)\b/gi,
+    remediation: "Add focused tests for sensitive logic and failure paths.",
+    suggestion: "Cover authn/authz, input validation, and error paths with regression tests.",
+    whyItMatters: "Sensitive code without tests is more likely to regress in security or correctness.",
+    standards: ["Quality Review"],
+    heuristic: "needs-test-correlation"
+  },
+  {
+    id: "deprecated-react-pattern",
+    title: "Legacy React pattern detected",
+    severity: "low",
+    confidence: "medium",
+    category: "Outdated Practices",
+    subcategory: "Legacy Framework Pattern",
+    reviewDomain: "outdated-practices",
+    regex: /\bcomponentWillMount\b|\bcomponentWillReceiveProps\b|\bcomponentWillUpdate\b/g,
+    remediation: "Migrate deprecated lifecycle patterns to modern React alternatives.",
+    suggestion: "Refactor toward effects, derived state cleanup, or modern lifecycle-safe patterns.",
+    whyItMatters: "Deprecated framework APIs increase upgrade friction and often encode unsafe legacy behavior.",
+    standards: ["Modernization Review"]
+  },
+  {
+    id: "python-subprocess-shell",
+    title: "Python subprocess uses shell=True",
+    severity: "high",
+    confidence: "high",
+    category: "Code Execution",
+    subcategory: "Shell Invocation",
+    reviewDomain: "security",
+    regex: /\bsubprocess\.(run|Popen|call|check_output)\([^)]*shell\s*=\s*True/gi,
+    remediation: "Avoid shell=True where possible and pass explicit argument arrays instead.",
+    suggestion: "Call subprocesses with validated argument lists and strict allowlisting.",
+    whyItMatters: "Shell execution expands the attack surface for command injection and quoting bugs.",
+    standards: ["CWE-78", "OWASP:A03"]
+  }
+];
+
+module.exports = {
+  STATIC_RULES
+};