technical-debt-radar 1.2.2 → 1.3.0

package/dist/index.js

@@ -87,7 +87,9 @@ var require_constants = __commonJS({
       EMPTY_CATCH_BLOCK: "empty-catch-block",
       MISSING_ERROR_LOGGING: "missing-error-logging",
       TRANSACTION_NO_TIMEOUT: "transaction-no-timeout",
-      MISSING_NULL_GUARD: "missing-null-guard"
+      MISSING_NULL_GUARD: "missing-null-guard",
+      MISSING_DTO_VALIDATION: "missing-dto-validation",
+      UNGUARDED_ROUTE_TODO: "unguarded-route-todo"
     };
     exports2.PERFORMANCE_RULES = {
       UNBOUNDED_FIND_MANY: "unbounded-find-many",
@@ -98,7 +100,8 @@ var require_constants = __commonJS({
       MISSING_PAGINATION: "missing-pagination-endpoint",
       UNFILTERED_COUNT: "unfiltered-count-large-table",
       RAW_SQL_NO_LIMIT: "raw-sql-no-limit",
-      RAW_SQL_UNSAFE: "raw-sql-unsafe"
+      RAW_SQL_UNSAFE: "raw-sql-unsafe",
+      DANGEROUS_DELETE_ALL: "dangerous-delete-all"
     };
     exports2.MAINTAINABILITY_RULES = {
       HIGH_COMPLEXITY: "high-complexity",
@@ -14030,6 +14033,26 @@ var require_runtime_risk_detector = __commonJS({
           }
         }
       });
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const expr = node.getExpression();
+        if (!ts_morph_1.Node.isPropertyAccessExpression(expr))
+          return;
+        if (expr.getName() !== "map")
+          return;
+        const args = node.getArguments();
+        if (args.length === 0)
+          return;
+        const callbackText = args[0].getText();
+        if (!/\(\?[=!]|\.\*|\[.*?\]|\\[bBdDwWsS]/.test(callbackText))
+          return;
+        const fileText = sourceFile.getText();
+        if (!/\$regex/.test(fileText))
+          return;
+        const fn = getEnclosingFunction(node, allFunctions);
+        violations.push(makeViolation(shared_1.RUNTIME_RISK_RULES.REDOS_VULNERABLE_REGEX, filePath, node.getStartLineNumber(), "Dynamic regex construction from user input used with $regex \u2014 ReDoS vulnerability", policy, fn?.name, "Use a safe text search method (MongoDB $text index) instead of $regex with user input. Escape special regex characters."));
+      });
     }
     function isRedosVulnerable(pattern) {
       const nestedQuantifier = /([+*])\)?[+*{]/;
@@ -14464,6 +14487,7 @@ var require_perf_pattern_detector = __commonJS({
         detectMissingPagination(sourceFile, file.path, fns, policy, violations);
         detectUnfilteredCount(sourceFile, file.path, fns, policy, violations);
         detectRawSqlNoLimit(sourceFile, file.path, fns, policy, violations);
+        detectDangerousDeleteAll(sourceFile, file.path, fns, policy, violations);
         project.removeSourceFile(sourceFile);
       }
       return applyExceptions(violations, policy);
@@ -14709,14 +14733,26 @@ var require_perf_pattern_detector = __commonJS({
       if (!ts_morph_1.Node.isPropertyAccessExpression(expr))
         return void 0;
       const obj = expr.getExpression();
-      if (!ts_morph_1.Node.isIdentifier(obj))
-        return void 0;
-      const name = obj.getText();
-      if (!/^[A-Z]/.test(name))
-        return void 0;
-      if (/^(Promise|Array|Object|String|Number|Boolean|Buffer|JSON|Math|Date|Map|Set|Error|RegExp|console|process|Sequelize|DataTypes)$/.test(name))
-        return void 0;
-      return name;
+      if (ts_morph_1.Node.isIdentifier(obj)) {
+        const name = obj.getText();
+        if (!/^[A-Z]/.test(name))
+          return void 0;
+        if (/^(Promise|Array|Object|String|Number|Boolean|Buffer|JSON|Math|Date|Map|Set|Error|RegExp|console|process|Sequelize|DataTypes)$/.test(name))
+          return void 0;
+        return name;
+      }
+      if (ts_morph_1.Node.isPropertyAccessExpression(obj)) {
+        const propName = obj.getName();
+        const thisExpr = obj.getExpression();
+        if (ts_morph_1.Node.isThisExpression(thisExpr) || ts_morph_1.Node.isIdentifier(thisExpr) && thisExpr.getText() === "this") {
+          const match = propName.match(/^(\w+?)(Model|Repository|Repo|Service|Collection)$/i);
+          if (match)
+            return match[1].charAt(0).toUpperCase() + match[1].slice(1);
+          if (/^[a-z]/.test(propName))
+            return propName.charAt(0).toUpperCase() + propName.slice(1);
+        }
+      }
+      return void 0;
     }
     var SEQUELIZE_FIND_METHODS = /* @__PURE__ */ new Set([
       "findAll",
@@ -16082,6 +16118,25 @@ var require_perf_pattern_detector = __commonJS({
     function escapeRegex(str) {
       return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
     }
+    function detectDangerousDeleteAll(sourceFile, filePath, fns, policy, violations) {
+      const DANGEROUS_DELETE_METHODS = /* @__PURE__ */ new Set(["deleteMany", "remove", "clear", "destroyAll"]);
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isCallExpression(node))
+          return;
+        const expr = node.getExpression();
+        if (!ts_morph_1.Node.isPropertyAccessExpression(expr))
+          return;
+        const methodName = expr.getName();
+        if (!DANGEROUS_DELETE_METHODS.has(methodName))
+          return;
+        const args = node.getArguments();
+        const hasFilter = args.length > 0 && !(ts_morph_1.Node.isObjectLiteralExpression(args[0]) && args[0].getProperties().length === 0);
+        if (hasFilter)
+          return;
+        const fn = getEnclosingFn(node, fns);
+        pushIfNotNull(violations, makeViolation(shared_1.PERFORMANCE_RULES.DANGEROUS_DELETE_ALL, filePath, node.getStartLineNumber(), `${methodName}() with empty or no filter \u2014 may delete all records`, policy, void 0, fn?.name, "Add a filter to deleteMany() or use deleteOne() \u2014 deleting all records is rarely intentional"));
+      });
+    }
     function applyExceptions(violations, policy) {
       return violations.filter((v) => !policy.exceptions.some((ex) => ex.isActive && ex.rule === v.ruleId && v.file.includes(ex.file)));
     }
@@ -16115,6 +16170,8 @@ var require_reliability_detector = __commonJS({
         detectMissingErrorLogging(sourceFile, file.path, fns, policy, violations);
         detectTransactionNoTimeout(sourceFile, file.path, fns, policy, violations);
         detectMissingNullGuard(sourceFile, file.path, fns, policy, violations);
+        detectMissingDtoValidation(sourceFile, file.path, fns, policy, violations);
+        detectUnguardedRouteTodo(sourceFile, file.path, fns, policy, violations);
         project.removeSourceFile(sourceFile);
       }
       return applyExceptions(violations, policy);
@@ -16571,25 +16628,53 @@ var require_reliability_detector = __commonJS({
       }
       return false;
     }
+    var SDK_CLIENTS_NO_TIMEOUT = /* @__PURE__ */ new Set([
+      "Replicate",
+      "OpenAI",
+      "Anthropic",
+      "Stripe",
+      "Twilio",
+      "SendGrid"
+    ]);
     function detectExternalCallNoTimeout(sourceFile, filePath, fns, policy, violations) {
       sourceFile.forEachDescendant((node) => {
-        if (!ts_morph_1.Node.isCallExpression(node))
-          return;
-        let callType = null;
-        for (const [name, matcher] of Object.entries(EXTERNAL_CALL_PATTERNS)) {
-          if (matcher(node)) {
-            callType = name;
-            break;
+        if (ts_morph_1.Node.isCallExpression(node)) {
+          let callType = null;
+          for (const [name, matcher] of Object.entries(EXTERNAL_CALL_PATTERNS)) {
+            if (matcher(node)) {
+              callType = name;
+              break;
+            }
           }
-        }
-        if (!callType)
-          return;
-        if (hasTimeoutOption(node))
-          return;
-        if (isInsideRetryLoop(node))
+          if (!callType)
+            return;
+          if (hasTimeoutOption(node))
+            return;
+          if (isInsideRetryLoop(node))
+            return;
+          const fn = getEnclosingFn(node, fns);
+          violations.push(makeViolation(shared_1.RELIABILITY_RULES.EXTERNAL_CALL_NO_TIMEOUT, filePath, node.getStartLineNumber(), `${callType}() call without timeout \u2014 may hang indefinitely`, policy, fn?.name, `Add a timeout option or use AbortController with setTimeout`));
           return;
-        const fn = getEnclosingFn(node, fns);
-        violations.push(makeViolation(shared_1.RELIABILITY_RULES.EXTERNAL_CALL_NO_TIMEOUT, filePath, node.getStartLineNumber(), `${callType}() call without timeout \u2014 may hang indefinitely`, policy, fn?.name, `Add a timeout option or use AbortController with setTimeout`));
+        }
+        if (ts_morph_1.Node.isNewExpression(node)) {
+          const expr = node.getExpression();
+          if (!ts_morph_1.Node.isIdentifier(expr))
+            return;
+          const className = expr.getText();
+          if (!SDK_CLIENTS_NO_TIMEOUT.has(className))
+            return;
+          const args = node.getArguments();
+          const hasTimeout = args.some((arg) => {
+            if (ts_morph_1.Node.isObjectLiteralExpression(arg)) {
+              return /timeout/i.test(arg.getText());
+            }
+            return false;
+          });
+          if (hasTimeout)
+            return;
+          const fn = getEnclosingFn(node, fns);
+          violations.push(makeViolation(shared_1.RELIABILITY_RULES.EXTERNAL_CALL_NO_TIMEOUT, filePath, node.getStartLineNumber(), `new ${className}() without timeout option \u2014 API calls may hang indefinitely`, policy, fn?.name, `Add a timeout option: new ${className}({ timeout: 30000, ... })`));
+        }
       });
     }
     function isInsideRetryLoop(node) {
@@ -16839,6 +16924,58 @@ var require_reliability_detector = __commonJS({
         violations.push(makeViolation(shared_1.RELIABILITY_RULES.MISSING_NULL_GUARD, filePath, node.getStartLineNumber(), `Array index access '${varName}[${indexArg.getText()}]' without length guard \u2014 may throw on empty results`, policy, fn?.name, `Add a guard: if (${varName}.length === 0) throw new NotFoundException();`));
       });
     }
+    function detectMissingDtoValidation(sourceFile, filePath, fns, policy, violations) {
+      if (!filePath.includes("controller"))
+        return;
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isMethodDeclaration(node))
+          return;
+        for (const param of node.getParameters()) {
+          const decorators = param.getDecorators();
+          const hasBody = decorators.some((d) => d.getName() === "Body");
+          const hasQuery = decorators.some((d) => d.getName() === "Query");
+          if (!hasBody && !hasQuery)
+            continue;
+          const typeNode = param.getTypeNode();
+          if (!typeNode)
+            continue;
+          const typeText = typeNode.getText().trim();
+          if (typeText !== "any")
+            continue;
+          const decName = hasBody ? "@Body()" : "@Query()";
+          const fn = getEnclosingFn(node, fns);
+          violations.push(makeViolation(shared_1.RELIABILITY_RULES.MISSING_DTO_VALIDATION, filePath, node.getStartLineNumber(), `${decName} parameter typed as 'any' \u2014 bypasses class-validator validation`, policy, fn?.name, "Create a DTO class with class-validator decorators and use it instead of any"));
+        }
+      });
+    }
+    var ROUTE_DECORATORS = /* @__PURE__ */ new Set(["Get", "Post", "Put", "Delete", "Patch", "All", "Head", "Options"]);
+    var GUARD_TODO_PATTERN = /TODO|FIXME|HACK|guard|auth|security|protected/i;
+    function detectUnguardedRouteTodo(sourceFile, filePath, fns, policy, violations) {
+      if (!filePath.includes("controller"))
+        return;
+      sourceFile.forEachDescendant((node) => {
+        if (!ts_morph_1.Node.isMethodDeclaration(node))
+          return;
+        const decorators = node.getDecorators();
+        const isRoute = decorators.some((d) => ROUTE_DECORATORS.has(d.getName()));
+        if (!isRoute)
+          return;
+        const fullText = node.getFullText();
+        if (!GUARD_TODO_PATTERN.test(fullText))
+          return;
+        const hasGuard = decorators.some((d) => d.getName() === "UseGuards");
+        if (hasGuard)
+          return;
+        const classNode = node.getParent();
+        if (classNode && ts_morph_1.Node.isClassDeclaration(classNode)) {
+          const classGuard = classNode.getDecorators().some((d) => d.getName() === "UseGuards");
+          if (classGuard)
+            return;
+        }
+        const fn = getEnclosingFn(node, fns);
+        violations.push(makeViolation(shared_1.RELIABILITY_RULES.UNGUARDED_ROUTE_TODO, filePath, node.getStartLineNumber(), `Route handler '${node.getName?.() ?? "anonymous"}' has TODO/FIXME comment and no @UseGuards() \u2014 unprotected endpoint`, policy, fn?.name, "Add @UseGuards(JwtAuthGuard) or appropriate guard \u2014 this route is currently unprotected"));
+      });
+    }
     function escapeRegex(str) {
       return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
     }
@@ -19583,7 +19720,15 @@ async function scanCommand(targetPath, options) {
       commit: getGitCommit(),
       duration: Date.now() - scanStart,
       usedAi: shouldRunAi,
-      aiCreditsUsed: 0
+      aiCreditsUsed: 0,
+      // PR metadata from CI environment (set by GitHub Action or GitLab CI)
+      ...process.env.RADAR_PR_NUMBER ? {
+        prNumber: parseInt(process.env.RADAR_PR_NUMBER, 10),
+        prTitle: process.env.RADAR_PR_TITLE,
+        prUrl: process.env.RADAR_PR_URL,
+        platform: process.env.RADAR_PLATFORM ?? "github",
+        mode
+      } : {}
     };
     try {
       await client.reportScan(reportData);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "technical-debt-radar",
-  "version": "1.2.2",
+  "version": "1.3.0",
   "description": "Stop Node.js production crashes before merge. 47 detection patterns across 5 categories.",
   "bin": {
     "radar": "dist/index.js",