skill-checker 0.1.4 → 0.1.6

package/dist/index.js

@@ -1087,6 +1087,28 @@ var ENV_ACCESS_PATTERNS = [
   /\bgetenv\s*\(/,
   /\$\{?\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL|API_KEY)\w*\}?/i
 ];
+var REVERSE_SHELL_PATTERNS = [
+  /\/dev\/tcp\/[\w.-]+\/\d+/,
+  // bash -i >& /dev/tcp/host/port 0>&1
+  /\bnc(?:at)?\b[^\n]*\s-(?:e|c)\s+/,
+  // nc -e /bin/sh host port
+  /\bncat\b[^\n]*\s--exec\b/,
+  // ncat --exec /bin/sh host port
+  /\bsocket\.socket\s*\([^)]*\)[\s\S]*\.(?:connect|connect_ex)\s*\([^)]*\)[\s\S]*os\.dup2\s*\([^)]*\)[\s\S]*(?:subprocess\.(?:call|run|Popen)|os\.system)\s*\(/,
+  /\bphp\b[^\n]*\bfsockopen\s*\([^)]*\)[\s\S]*\b(?:exec|shell_exec|system|passthru)\s*\(/,
+  /\bperl\b[^\n]*\bSocket\b[\s\S]*\bconnect\s*\([^)]*\)[\s\S]*\bexec\s*\(/
+];
+var REMOTE_PIPELINE_EXEC_PATTERNS = [
+  /\bcurl\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:sh|bash|zsh|ksh|ash)\b/i,
+  /\bwget\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:sh|bash|zsh|ksh|ash)\b/i,
+  /\bcurl\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:python|python3|node)\b/i,
+  /\bwget\b[^\n|]*https?:\/\/[^\s|]+[^\n]*\|\s*(?:python|python3|node)\b/i
+];
+var DATA_EXFIL_PATTERNS = [
+  /\bcurl\b[^\n]*(?:-d|--data|--data-binary|--data-raw)\s+@(?:[^\s'"`]+|["'`][^"'`]+["'`])/i,
+  /\bcurl\b[^\n]*(?:-F|--form)\s+[^\s=]+=@(?:[^\s'"`]+|["'`][^"'`]+["'`])/i,
+  /\bwget\b[^\n]*--post-file(?:=|\s+)(?:[^\s'"`]+|["'`][^"'`]+["'`])/i
+];
 var DYNAMIC_CODE_PATTERNS = [
   /\bcompile\s*\(/,
   /\bcodegen\b/i,
@@ -1094,6 +1116,55 @@ var DYNAMIC_CODE_PATTERNS = [
   /\brequire\s*\(\s*[^"'`\s]/,
   /\b__import__\s*\(/
 ];
+var PROVIDER_CREDENTIAL_PATTERNS = [
+  {
+    pattern: /\bsk-ant-api03-[A-Za-z0-9_-]{20,}\b/,
+    title: "Anthropic API key exposure"
+  },
+  {
+    pattern: /\bsk-proj-[A-Za-z0-9_-]{20,}\b/,
+    title: "OpenAI project key exposure"
+  },
+  {
+    pattern: /\bxox[bps]-[A-Za-z0-9-]{20,}\b/,
+    title: "Slack token exposure"
+  },
+  {
+    pattern: /\bAKIA[0-9A-Z]{16}\b/,
+    title: "AWS access key exposure"
+  },
+  {
+    pattern: /\bgh[op]_[A-Za-z0-9]{20,}\b/,
+    title: "GitHub token exposure"
+  },
+  {
+    pattern: /\bgithub_pat_[A-Za-z0-9_]{20,}\b/,
+    title: "GitHub fine-grained token exposure"
+  }
+];
+var OPENAI_SK_FALLBACK_PATTERN = /\bsk-[A-Za-z0-9_-]{20,}\b/;
+var CREDENTIAL_NAME_TOKENS = /* @__PURE__ */ new Set([
+  "api",
+  "key",
+  "token",
+  "secret",
+  "password",
+  "credential"
+]);
+var CREDENTIAL_COMPOUND_NAMES = /* @__PURE__ */ new Set([
+  "apikey",
+  "apitoken",
+  "accesskey",
+  "accesstoken",
+  "secretkey",
+  "secrettoken"
+]);
+var CREDENTIAL_EQUALS_PATTERN = /\b([A-Za-z0-9_-]+)\b\s*=\s*["'`]?([A-Za-z0-9._~+/=\-]{20,})/i;
+var CREDENTIAL_KEY_VALUE_PATTERN = /^\s*["'`]?([A-Za-z0-9_-]+)["'`]?\s*:\s*["'`]?([A-Za-z0-9._~+/=\-]{20,})/i;
+var AUTHORIZATION_BEARER_PATTERN = /\bAuthorization\b\s*:\s*Bearer\s+([A-Za-z0-9._~+/=\-]{20,})/i;
+var X_API_KEY_PATTERN = /\bx-api-key\b\s*:\s*([A-Za-z0-9._~+/=\-]{20,})/i;
+var CREDENTIAL_MIN_LENGTH = 20;
+var CREDENTIAL_MIN_ENTROPY = 4.5;
 var PERMISSION_PATTERNS = [
   /\bchmod\s+[+0-9]/,
   /\bchown\b/,
@@ -1168,6 +1239,40 @@ var codeSafetyChecks = {
           source,
           codeBlockCtx: cbCtx
         });
+        checkPatterns(results, line, REVERSE_SHELL_PATTERNS, {
+          id: "CODE-014",
+          severity: "CRITICAL",
+          title: "Reverse shell pattern",
+          loc,
+          lineNum,
+          source
+        });
+        const code015 = detectCode015(line);
+        if (code015) {
+          results.push({
+            id: "CODE-015",
+            category: "CODE",
+            severity: code015.severity,
+            title: code015.title,
+            message: `At ${loc}: ${line.trim().slice(0, 120)}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source
+          });
+        }
+        const credentialLeak = detectCredentialLeak(line);
+        if (credentialLeak) {
+          results.push({
+            id: "CODE-013",
+            category: "CODE",
+            severity: credentialLeak.severity,
+            title: credentialLeak.title,
+            message: `At ${loc}: ${line.trim().slice(0, 120)}`,
+            line: lineNum,
+            snippet: line.trim().slice(0, 120),
+            source
+          });
+        }
         checkPatterns(results, line, DYNAMIC_CODE_PATTERNS, {
           id: "CODE-010",
           severity: "HIGH",
@@ -1223,6 +1328,97 @@ function checkPatterns(results, line, patterns, opts) {
     }
   }
 }
+function detectCode015(line) {
+  if (REMOTE_PIPELINE_EXEC_PATTERNS.some((pattern) => pattern.test(line))) {
+    return {
+      severity: "CRITICAL",
+      title: "Remote pipeline execution pattern"
+    };
+  }
+  if (DATA_EXFIL_PATTERNS.some((pattern) => pattern.test(line))) {
+    return {
+      severity: "HIGH",
+      title: "Data exfiltration pattern"
+    };
+  }
+  return null;
+}
+function detectCredentialLeak(line) {
+  for (const provider of PROVIDER_CREDENTIAL_PATTERNS) {
+    if (provider.pattern.test(line)) {
+      return {
+        severity: "CRITICAL",
+        title: provider.title
+      };
+    }
+  }
+  if (OPENAI_SK_FALLBACK_PATTERN.test(line) && isCredentialAssignmentContext(line)) {
+    return {
+      severity: "CRITICAL",
+      title: "OpenAI-style API key exposure"
+    };
+  }
+  const assignmentMatch = line.match(CREDENTIAL_EQUALS_PATTERN);
+  if (assignmentMatch?.[1] && assignmentMatch[2] && hasCredentialNameToken(assignmentMatch[1]) && isHighEntropyCredential(assignmentMatch[2])) {
+    return {
+      severity: "HIGH",
+      title: "High-entropy credential assignment"
+    };
+  }
+  const keyValueMatch = line.match(CREDENTIAL_KEY_VALUE_PATTERN);
+  if (keyValueMatch?.[1] && keyValueMatch[2] && hasCredentialNameToken(keyValueMatch[1]) && isHighEntropyCredential(keyValueMatch[2])) {
+    return {
+      severity: "HIGH",
+      title: "High-entropy credential assignment"
+    };
+  }
+  const bearerMatch = line.match(AUTHORIZATION_BEARER_PATTERN);
+  if (bearerMatch?.[1] && isHighEntropyCredential(bearerMatch[1])) {
+    return {
+      severity: "HIGH",
+      title: "Authorization bearer credential exposure"
+    };
+  }
+  const xApiKeyMatch = line.match(X_API_KEY_PATTERN);
+  if (xApiKeyMatch?.[1] && isHighEntropyCredential(xApiKeyMatch[1])) {
+    return {
+      severity: "HIGH",
+      title: "X-API-Key credential exposure"
+    };
+  }
+  return null;
+}
+function isCredentialAssignmentContext(line) {
+  if (/\bAuthorization\b\s*:\s*Bearer\s+sk-/i.test(line)) {
+    return true;
+  }
+  if (/\bx-api-key\b\s*:\s*sk-/i.test(line)) {
+    return true;
+  }
+  const equalsMatch = line.match(CREDENTIAL_EQUALS_PATTERN);
+  if (equalsMatch?.[1] && equalsMatch[2]) {
+    return hasCredentialNameToken(equalsMatch[1]) && equalsMatch[2].startsWith("sk-");
+  }
+  const keyValueMatch = line.match(CREDENTIAL_KEY_VALUE_PATTERN);
+  if (keyValueMatch?.[1] && keyValueMatch[2]) {
+    return hasCredentialNameToken(keyValueMatch[1]) && keyValueMatch[2].startsWith("sk-");
+  }
+  return false;
+}
+function hasCredentialNameToken(name) {
+  const normalized = name.replace(/([a-z])([A-Z])/g, "$1_$2").replace(/([A-Za-z])([0-9])/g, "$1_$2").replace(/([0-9])([A-Za-z])/g, "$1_$2").toLowerCase();
+  const tokens = normalized.split(/[_-]+/).map((token) => token.trim()).filter(Boolean);
+  if (tokens.some((token) => CREDENTIAL_NAME_TOKENS.has(token))) {
+    return true;
+  }
+  return tokens.length === 1 && CREDENTIAL_COMPOUND_NAMES.has(tokens[0]);
+}
+function isHighEntropyCredential(value) {
+  if (value.length < CREDENTIAL_MIN_LENGTH) {
+    return false;
+  }
+  return shannonEntropy(value) > CREDENTIAL_MIN_ENTROPY;
+}
 function getTextSources(skill) {
   const sources = [
     { text: skill.body, source: "SKILL.md" }