tryassay 0.34.0 → 0.35.1

package/dist/lib/__tests__/formal-verifier-claimless.test.js

@@ -0,0 +1,667 @@
+import { describe, it, expect } from 'vitest';
+import { runClaimlessChecks } from '../formal-verifier.js';
+describe('runClaimlessChecks', () => {
+    describe('SQL injection detection', () => {
+        it('detects string-concatenated SQL queries', () => {
+            const code = `
+const query = "SELECT * FROM users WHERE id = " + userId;
+db.query(query);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            expect(findings.length).toBeGreaterThan(0);
+            expect(findings[0].checkType).toBe('sql_parameterized');
+            expect(findings[0].severity).toBe('critical');
+            expect(findings[0].line).toBe(2);
+        });
+        it('passes clean parameterized queries', () => {
+            const code = `
+const query = "SELECT * FROM users WHERE id = $1";
+db.query(query, [userId]);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const sqlFindings = findings.filter(f => f.checkType === 'sql_parameterized');
+            expect(sqlFindings).toHaveLength(0);
+        });
+    });
+    describe('error handling detection', () => {
+        it('detects async function without try/catch', () => {
+            const code = `
+async function fetchData() {
+  const res = await fetch('/api/data');
+  return res.json();
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const errFindings = findings.filter(f => f.checkType === 'error_handling');
+            expect(errFindings.length).toBeGreaterThan(0);
+            expect(errFindings[0].severity).toBe('high');
+        });
+        it('passes async function with try/catch', () => {
+            const code = `
+async function fetchData() {
+  try {
+    const res = await fetch('/api/data');
+    return res.json();
+  } catch (e) {
+    throw new Error('fetch failed');
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const errFindings = findings.filter(f => f.checkType === 'error_handling');
+            expect(errFindings).toHaveLength(0);
+        });
+    });
+    describe('API misuse detection', () => {
+        it('detects .flatten() misuse in JS/TS', () => {
+            const code = `
+const items = nested.flatten();
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const apiFindings = findings.filter(f => f.checkType === 'api_misuse');
+            expect(apiFindings.length).toBeGreaterThan(0);
+            expect(apiFindings[0].severity).toBe('critical');
+        });
+    });
+    describe('input validation detection', () => {
+        it('detects unvalidated req.body usage', () => {
+            const code = `
+app.post('/api/users', (req, res) => {
+  const name = req.body.name;
+  db.insert({ name });
+});
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const valFindings = findings.filter(f => f.checkType === 'input_validation');
+            expect(valFindings.length).toBeGreaterThan(0);
+        });
+    });
+    describe('null safety detection', () => {
+        it('detects non-null assertion operator as null_check finding', () => {
+            const code = `
+const result = value!.property;
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const nullFindings = findings.filter(f => f.checkType === 'null_check');
+            expect(nullFindings.length).toBeGreaterThan(0);
+            expect(nullFindings[0].severity).toBe('medium');
+        });
+        it('does not flag optional chaining as a null_check finding', () => {
+            const code = `
+const result = value?.property;
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const nullFindings = findings.filter(f => f.checkType === 'null_check');
+            expect(nullFindings).toHaveLength(0);
+        });
+    });
+    describe('clean code produces no findings', () => {
+        it('returns empty array for well-written code', () => {
+            const code = `
+function add(a: number, b: number): number {
+  return a + b;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            expect(findings).toHaveLength(0);
+        });
+    });
+    describe('security_control detection', () => {
+        it('detects eval() usage', () => {
+            const code = `
+const result = eval(userInput);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const secFindings = findings.filter(f => f.checkType === 'security_control');
+            expect(secFindings.length).toBeGreaterThan(0);
+            expect(secFindings[0].severity).toBe('critical');
+        });
+        it('detects innerHTML assignment', () => {
+            const code = `
+element.innerHTML = userInput;
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const secFindings = findings.filter(f => f.checkType === 'security_control');
+            expect(secFindings.length).toBeGreaterThan(0);
+            expect(secFindings[0].severity).toBe('critical');
+        });
+        it('detects hardcoded API key (sk_live_)', () => {
+            const code = `
+const apiKey = "sk_live_abc123xyz";
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const secFindings = findings.filter(f => f.checkType === 'security_control');
+            expect(secFindings.length).toBeGreaterThan(0);
+            expect(secFindings[0].severity).toBe('critical');
+        });
+        it('passes safe DOM operations', () => {
+            const code = `
+element.textContent = userInput;
+const text = element.innerHTML;
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const secFindings = findings.filter(f => f.checkType === 'security_control');
+            expect(secFindings).toHaveLength(0);
+        });
+    });
+    describe('data_handling detection', () => {
+        it('detects JSON.parse without try/catch', () => {
+            const code = `
+function parseData(raw: string) {
+  const data = JSON.parse(raw);
+  return data;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const dataFindings = findings.filter(f => f.checkType === 'data_handling');
+            expect(dataFindings.length).toBeGreaterThan(0);
+            expect(dataFindings[0].severity).toBe('high');
+        });
+        it('passes JSON.parse inside try/catch', () => {
+            const code = `
+function parseData(raw: string) {
+  try {
+    const data = JSON.parse(raw);
+    return data;
+  } catch (e) {
+    return null;
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const dataFindings = findings.filter(f => f.checkType === 'data_handling');
+            expect(dataFindings).toHaveLength(0);
+        });
+    });
+    describe('configuration_check detection', () => {
+        it('detects process.env.X without fallback', () => {
+            const code = `
+const port = process.env.PORT;
+app.listen(port);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const configFindings = findings.filter(f => f.checkType === 'configuration_check');
+            expect(configFindings.length).toBeGreaterThan(0);
+            expect(configFindings[0].severity).toBe('high');
+        });
+        it('passes process.env.X with ?? fallback', () => {
+            const code = `
+const port = process.env.PORT ?? '3000';
+app.listen(port);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const configFindings = findings.filter(f => f.checkType === 'configuration_check');
+            expect(configFindings).toHaveLength(0);
+        });
+        it('passes process.env.X with || fallback', () => {
+            const code = `
+const port = process.env.PORT || '3000';
+app.listen(port);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const configFindings = findings.filter(f => f.checkType === 'configuration_check');
+            expect(configFindings).toHaveLength(0);
+        });
+    });
+    describe('undefined_reference detection', () => {
+        it('detects import of deprecated "request" package', () => {
+            const code = `
+import request from 'request';
+request.get('/api/data', callback);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const refFindings = findings.filter(f => f.checkType === 'undefined_reference');
+            expect(refFindings.length).toBeGreaterThan(0);
+            expect(refFindings[0].severity).toBe('high');
+        });
+        it('passes non-deprecated imports like express', () => {
+            const code = `
+import express from 'express';
+const app = express();
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const refFindings = findings.filter(f => f.checkType === 'undefined_reference');
+            expect(refFindings).toHaveLength(0);
+        });
+    });
+    describe('type_annotation detection', () => {
+        it('detects exported function without return type in TypeScript', () => {
+            const code = `
+export function foo(items) {
+  return items.length;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const typeFindings = findings.filter(f => f.checkType === 'type_annotation');
+            expect(typeFindings.length).toBeGreaterThan(0);
+            expect(typeFindings[0].severity).toBe('medium');
+        });
+        it('passes exported function with return type in TypeScript', () => {
+            const code = `
+export function foo(items: Item[]): number {
+  return items.length;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const typeFindings = findings.filter(f => f.checkType === 'type_annotation');
+            expect(typeFindings).toHaveLength(0);
+        });
+        it('does not flag type_annotation in JavaScript', () => {
+            const code = `
+export function foo(items) {
+  return items.length;
+}
+`;
+            const findings = runClaimlessChecks(code, 'javascript');
+            const typeFindings = findings.filter(f => f.checkType === 'type_annotation');
+            expect(typeFindings).toHaveLength(0);
+        });
+    });
+    describe('connectivity_check detection', () => {
+        it('detects fetch() without timeout/signal', () => {
+            const code = `
+async function getData() {
+  const res = await fetch('https://api.example.com/data');
+  return res.json();
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const connFindings = findings.filter(f => f.checkType === 'connectivity_check');
+            expect(connFindings.length).toBeGreaterThan(0);
+            expect(connFindings[0].severity).toBe('medium');
+        });
+        it('passes fetch() with AbortSignal.timeout', () => {
+            const code = `
+async function getData() {
+  const res = await fetch('https://api.example.com/data', { signal: AbortSignal.timeout(5000) });
+  return res.json();
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const connFindings = findings.filter(f => f.checkType === 'connectivity_check');
+            expect(connFindings).toHaveLength(0);
+        });
+    });
+    // ── Check 12: Async forEach ──────────────────────────────────
+    describe('async forEach detection (check 12)', () => {
+        it('detects async callback inside forEach', () => {
+            const code = `
+const items = [1, 2, 3];
+items.forEach(async (item) => {
+  await processItem(item);
+});
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'error_handling' && f.evidence.toLowerCase().includes('foreach'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('critical');
+        });
+        it('passes for-of loop with await', () => {
+            const code = `
+for (const item of items) {
+  await processItem(item);
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'error_handling' && f.evidence.toLowerCase().includes('foreach'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 13: Console in production ──────────────────────────
+    describe('console.log/debug detection (check 13)', () => {
+        it('detects console.log', () => {
+            const code = `
+function handleClick() {
+  console.log("button clicked");
+  submitForm();
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'debug_artifact');
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('medium');
+        });
+        it('detects console.debug', () => {
+            const code = `
+function loadData() {
+  console.debug("loading...");
+  return fetch('/api/data');
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'debug_artifact');
+            expect(f.length).toBeGreaterThan(0);
+        });
+        it('does not flag console.error or console.warn', () => {
+            const code = `
+function handleError(err: Error) {
+  console.error("Fatal:", err.message);
+  console.warn("Deprecation notice");
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'debug_artifact');
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 14: Loose equality ─────────────────────────────────
+    describe('loose equality detection (check 14)', () => {
+        it('detects == null', () => {
+            const code = `
+function check(x: unknown) {
+  if (x == null) {
+    return 'missing';
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'equality_check');
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('medium');
+        });
+        it('detects != undefined', () => {
+            const code = `
+function validate(y: string | undefined) {
+  if (y != undefined) {
+    process(y);
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'equality_check');
+            expect(f.length).toBeGreaterThan(0);
+        });
+        it('passes strict equality', () => {
+            const code = `
+function check(x: unknown) {
+  if (x === null || x === undefined) {
+    return 'missing';
+  }
+  if (x !== null) {
+    process(x);
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'equality_check');
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 15: RegExp injection ───────────────────────────────
+    describe('RegExp injection detection (check 15)', () => {
+        it('detects new RegExp with variable', () => {
+            const code = `
+function search(userInput: string, text: string) {
+  const re = new RegExp(userInput);
+  return re.test(text);
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('regexp'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('critical');
+        });
+        it('passes new RegExp with string literal', () => {
+            const code = `
+const emailPattern = new RegExp("^[a-zA-Z0-9.]+@example\\\\.com$");
+const isValid = emailPattern.test(input);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('regexp'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 16: Promise.all without error handling ─────────────
+    describe('Promise.all without error handling (check 16)', () => {
+        it('detects Promise.all without try/catch', () => {
+            const code = `
+async function loadAll(urls: string[]) {
+  const promises = urls.map(url => fetch(url));
+  const results = await Promise.all(promises);
+  return results;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'error_handling' && f.evidence.toLowerCase().includes('promise.all'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('high');
+        });
+        it('passes Promise.all inside try/catch', () => {
+            const code = `
+async function loadAll(urls: string[]) {
+  try {
+    const promises = urls.map(url => fetch(url));
+    const results = await Promise.all(promises);
+    return results;
+  } catch (e) {
+    handleError(e);
+    return [];
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'error_handling' && f.evidence.toLowerCase().includes('promise.all'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 17: parseInt without radix ─────────────────────────
+    describe('parseInt without radix (check 17)', () => {
+        it('detects parseInt with single argument', () => {
+            const code = `
+function parseAge(input: string) {
+  const age = parseInt(input);
+  return age;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'api_misuse' && f.evidence.toLowerCase().includes('parseint'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('medium');
+        });
+        it('passes parseInt with radix', () => {
+            const code = `
+function parseAge(input: string) {
+  const age = parseInt(input, 10);
+  return age;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'api_misuse' && f.evidence.toLowerCase().includes('parseint'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 18: Fetch body on GET ──────────────────────────────
+    describe('fetch body on GET (check 18)', () => {
+        it('detects body in GET request', () => {
+            const code = `
+async function getData(filters: object) {
+  const res = await fetch('/api/data', {
+    method: 'GET',
+    body: JSON.stringify(filters)
+  });
+  return res.json();
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'api_misuse' && f.evidence.toLowerCase().includes('body'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('high');
+        });
+        it('passes body in POST request', () => {
+            const code = `
+async function createItem(data: object) {
+  const res = await fetch('/api/items', {
+    method: 'POST',
+    body: JSON.stringify(data),
+    headers: { 'Content-Type': 'application/json' }
+  });
+  return res.json();
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'api_misuse' && f.evidence.toLowerCase().includes('body') && f.evidence.toLowerCase().includes('get'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 19: addEventListener without cleanup ───────────────
+    describe('addEventListener without cleanup (check 19)', () => {
+        it('detects addEventListener in useEffect without removeEventListener', () => {
+            const code = `
+useEffect(() => {
+  window.addEventListener('resize', handleResize);
+}, []);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'resource_leak');
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('high');
+        });
+        it('passes addEventListener with cleanup', () => {
+            const code = `
+useEffect(() => {
+  window.addEventListener('resize', handleResize);
+  return () => window.removeEventListener('resize', handleResize);
+}, []);
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'resource_leak');
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 20: Empty catch block ──────────────────────────────
+    describe('empty catch block (check 20)', () => {
+        it('detects empty catch block', () => {
+            const code = `
+function safeParse(json: string) {
+  try {
+    return JSON.parse(json);
+  } catch (e) {}
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'error_handling' && f.evidence.toLowerCase().includes('empty catch'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('high');
+        });
+        it('passes catch with error handling', () => {
+            const code = `
+function safeParse(json: string) {
+  try {
+    return JSON.parse(json);
+  } catch (e) {
+    console.error('Parse failed:', e);
+    return null;
+  }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'error_handling' && f.evidence.toLowerCase().includes('empty catch'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 21: dangerouslySetInnerHTML ────────────────────────
+    describe('dangerouslySetInnerHTML (check 21)', () => {
+        it('detects dangerouslySetInnerHTML', () => {
+            const code = `
+function RichContent({ html }: { html: string }) {
+  return <div dangerouslySetInnerHTML={{ __html: html }} />;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('dangerously'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('critical');
+        });
+        it('passes safe JSX', () => {
+            const code = `
+function SafeContent({ text }: { text: string }) {
+  return <div>{text}</div>;
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('dangerously'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 22: Hardcoded http:// URLs ─────────────────────────
+    describe('hardcoded http:// URLs (check 22)', () => {
+        it('detects hardcoded http:// URL', () => {
+            const code = `
+const API_BASE = "http://example.com/api";
+const res = await fetch(API_BASE + "/users");
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('http://'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('medium');
+        });
+        it('passes https:// URLs', () => {
+            const code = `
+const API_BASE = "https://example.com/api";
+const res = await fetch(API_BASE + "/users");
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('http://'));
+            expect(f).toHaveLength(0);
+        });
+        it('passes http://localhost', () => {
+            const code = `
+const DEV_API = "http://localhost:3000/api";
+const res = await fetch(DEV_API + "/health");
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('http://'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 23: document.write ─────────────────────────────────
+    describe('document.write (check 23)', () => {
+        it('detects document.write', () => {
+            const code = `
+function renderPage(content: string) {
+  document.write("<h1>" + content + "</h1>");
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('document.write'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('medium');
+        });
+        it('passes safe DOM manipulation', () => {
+            const code = `
+function renderPage(content: string) {
+  const el = document.getElementById("root");
+  if (el) { el.textContent = content; }
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('document.write'));
+            expect(f).toHaveLength(0);
+        });
+    });
+    // ── Check 24: setTimeout with string ─────────────────────────
+    describe('setTimeout with string (check 24)', () => {
+        it('detects setTimeout with string argument', () => {
+            const code = `
+function delayedGreeting(name: string) {
+  setTimeout("alert('Hello')", 1000);
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('settimeout'));
+            expect(f.length).toBeGreaterThan(0);
+            expect(f[0].severity).toBe('critical');
+        });
+        it('passes setTimeout with function', () => {
+            const code = `
+function delayedGreeting(name: string) {
+  setTimeout(() => alert('Hello ' + name), 1000);
+}
+`;
+            const findings = runClaimlessChecks(code, 'typescript');
+            const f = findings.filter(f => f.checkType === 'security_control' && f.evidence.toLowerCase().includes('settimeout'));
+            expect(f).toHaveLength(0);
+        });
+    });
+});
+//# sourceMappingURL=formal-verifier-claimless.test.js.map