verification-layer 0.21.0 → 0.22.0

package/dist/scanners/api-security/index.test.js

@@ -0,0 +1,360 @@
+/**
+ * API Security Scanner Tests
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { apiSecurityScanner } from './index.js';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import * as os from 'os';
+describe('API Security Scanner', () => {
+    let tempDir = '';
+    let testFiles = [];
+    beforeEach(async () => {
+        tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'api-security-test-'));
+    });
+    afterEach(async () => {
+        // Cleanup
+        for (const file of testFiles) {
+            try {
+                await fs.unlink(file);
+            }
+            catch {
+                // Ignore
+            }
+        }
+        try {
+            await fs.rm(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore
+        }
+        testFiles = [];
+    });
+    async function createTestFile(filename, content) {
+        const filePath = path.join(tempDir, filename);
+        await fs.writeFile(filePath, content, 'utf-8');
+        testFiles.push(filePath);
+        return filePath;
+    }
+    const scanOptions = {
+        path: tempDir,
+    };
+    describe('RATE-001: Authentication Routes Without Rate Limiting', () => {
+        it('should detect POST /login without rate limiting', async () => {
+            const file = await createTestFile('auth.ts', `
+import express from 'express';
+
+const app = express();
+
+app.post('/login', (req, res) => {
+  // Login logic
+  res.json({ success: true });
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const rateFindings = findings.filter((f) => f.id === 'RATE-001');
+            expect(rateFindings.length).toBeGreaterThan(0);
+            expect(rateFindings[0].severity).toBe('high');
+        });
+        it('should detect POST /api/auth without rate limiting', async () => {
+            const file = await createTestFile('api-auth.ts', `
+router.post('/api/auth', authHandler);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RATE-001')).toBe(true);
+        });
+        it('should detect POST /register without rate limiting', async () => {
+            const file = await createTestFile('register.ts', `
+app.post('/register', async (req, res) => {
+  const user = await createUser(req.body);
+  res.json(user);
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RATE-001')).toBe(true);
+        });
+        it('should detect POST /password-reset without rate limiting', async () => {
+            const file = await createTestFile('reset.ts', `
+app.post('/password-reset', passwordResetHandler);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RATE-001')).toBe(true);
+        });
+        it('should detect Fastify auth route without rate limiting', async () => {
+            const file = await createTestFile('fastify-auth.ts', `
+fastify.post('/login', async (request, reply) => {
+  return { token: 'abc' };
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RATE-001')).toBe(true);
+        });
+        it('should detect Hono auth route without rate limiting', async () => {
+            const file = await createTestFile('hono-auth.ts', `
+import { Hono } from 'hono';
+const app = new Hono();
+
+app.post('/signin', (c) => {
+  return c.json({ token: 'abc' });
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RATE-001')).toBe(true);
+        });
+        it('should NOT flag auth route with rateLimit middleware', async () => {
+            const file = await createTestFile('safe-login.ts', `
+import rateLimit from 'express-rate-limit';
+
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 5
+});
+
+app.post('/login', loginLimiter, loginHandler);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const rateFindings = findings.filter((f) => f.id === 'RATE-001');
+            expect(rateFindings.length).toBe(0);
+        });
+        it('should NOT flag auth route with rateLimiter', async () => {
+            const file = await createTestFile('rate-limiter.ts', `
+const rateLimiter = createRateLimiter();
+
+app.post('/auth', rateLimiter, authHandler);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const rateFindings = findings.filter((f) => f.id === 'RATE-001');
+            expect(rateFindings.length).toBe(0);
+        });
+        it('should NOT flag auth route with throttle middleware', async () => {
+            const file = await createTestFile('throttle.ts', `
+import { throttle } from './middleware';
+
+router.post('/login', throttle, handleLogin);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const rateFindings = findings.filter((f) => f.id === 'RATE-001');
+            expect(rateFindings.length).toBe(0);
+        });
+        it('should NOT flag auth route with @upstash/ratelimit', async () => {
+            const file = await createTestFile('upstash.ts', `
+import { Ratelimit } from '@upstash/ratelimit';
+
+const ratelimit = new Ratelimit({
+  redis: Redis.fromEnv(),
+  limiter: Ratelimit.slidingWindow(10, '10 s'),
+});
+
+app.post('/register', async (req, res) => {
+  const { success } = await ratelimit.limit(req.ip);
+  if (!success) return res.status(429).send('Too many requests');
+  // Handle registration
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const rateFindings = findings.filter((f) => f.id === 'RATE-001');
+            expect(rateFindings.length).toBe(0);
+        });
+    });
+    describe('CORS-001: Open CORS Configuration', () => {
+        it('should detect cors({ origin: "*" })', async () => {
+            const file = await createTestFile('cors.ts', `
+import cors from 'cors';
+
+app.use(cors({
+  origin: "*"
+}));
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const corsFindings = findings.filter((f) => f.id === 'CORS-001');
+            expect(corsFindings.length).toBeGreaterThan(0);
+            expect(corsFindings[0].severity).toBe('high');
+        });
+        it('should detect Access-Control-Allow-Origin: *', async () => {
+            const file = await createTestFile('headers.ts', `
+app.use((req, res, next) => {
+  res.setHeader('Access-Control-Allow-Origin', '*');
+  next();
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CORS-001')).toBe(true);
+        });
+        it('should detect res.header with wildcard origin', async () => {
+            const file = await createTestFile('wildcard.ts', `
+res.header('Access-Control-Allow-Origin', '*');
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CORS-001')).toBe(true);
+        });
+        it('should detect headers.set with wildcard origin', async () => {
+            const file = await createTestFile('headers-set.ts', `
+response.headers.set('Access-Control-Allow-Origin', '*');
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'CORS-001')).toBe(true);
+        });
+        it('should NOT flag CORS with specific origins array', async () => {
+            const file = await createTestFile('safe-cors.ts', `
+app.use(cors({
+  origin: ['https://app.example.com', 'https://admin.example.com']
+}));
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const corsFindings = findings.filter((f) => f.id === 'CORS-001');
+            expect(corsFindings.length).toBe(0);
+        });
+        it('should NOT flag CORS with allowedOrigins', async () => {
+            const file = await createTestFile('allowed-origins.ts', `
+const allowedOrigins = ['https://app.example.com'];
+
+app.use(cors({
+  origin: allowedOrigins
+}));
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const corsFindings = findings.filter((f) => f.id === 'CORS-001');
+            expect(corsFindings.length).toBe(0);
+        });
+        it('should NOT flag CORS with environment variable', async () => {
+            const file = await createTestFile('env-origin.ts', `
+app.use(cors({
+  origin: process.env.ALLOWED_ORIGINS.split(',')
+}));
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const corsFindings = findings.filter((f) => f.id === 'CORS-001');
+            expect(corsFindings.length).toBe(0);
+        });
+        it('should NOT flag CORS for public assets', async () => {
+            const file = await createTestFile('public-assets.ts', `
+// Public assets can use wildcard CORS
+app.use('/public', cors({ origin: '*' }));
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const corsFindings = findings.filter((f) => f.id === 'CORS-001');
+            expect(corsFindings.length).toBe(0);
+        });
+    });
+    describe('API-001: PHI in URL Query Parameters', () => {
+        it('should detect ?ssn= in URL', async () => {
+            const file = await createTestFile('phi-url.ts', `
+const url = \`/api/patient?ssn=\${ssn}\`;
+fetch(url);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const phiFindings = findings.filter((f) => f.id === 'API-001');
+            expect(phiFindings.length).toBeGreaterThan(0);
+            expect(phiFindings[0].severity).toBe('high');
+            expect(phiFindings[0].category).toBe('phi-exposure');
+        });
+        it('should detect &dob= in URL', async () => {
+            const file = await createTestFile('dob-param.ts', `
+const queryUrl = '/search?name=John&dob=1990-01-01';
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-001')).toBe(true);
+        });
+        it('should detect ?patient_name= in URL', async () => {
+            const file = await createTestFile('patient-name.ts', `
+axios.get('/api/records?patient_name=John Doe');
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-001')).toBe(true);
+        });
+        it('should detect ?diagnosis= in URL', async () => {
+            const file = await createTestFile('diagnosis.ts', `
+const endpoint = \`/api/search?diagnosis=\${diagnosisCode}\`;
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-001')).toBe(true);
+        });
+        it('should detect URLSearchParams with PHI', async () => {
+            const file = await createTestFile('search-params.ts', `
+const params = new URLSearchParams();
+params.append('ssn', patientSSN);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-001')).toBe(true);
+        });
+        it('should detect searchParams.set with MRN', async () => {
+            const file = await createTestFile('mrn-param.ts', `
+searchParams.set('mrn', medicalRecordNumber);
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'API-001')).toBe(true);
+        });
+        it('should NOT flag POST request with PHI in body', async () => {
+            const file = await createTestFile('safe-post.ts', `
+const response = await fetch('/api/patient', {
+  method: 'POST',
+  body: JSON.stringify({ ssn: patientSSN })
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const phiFindings = findings.filter((f) => f.id === 'API-001');
+            expect(phiFindings.length).toBe(0);
+        });
+        it('should NOT flag req.body usage', async () => {
+            const file = await createTestFile('req-body.ts', `
+app.post('/api/patient', (req, res) => {
+  const { ssn, dob } = req.body;
+  // Process PHI safely from body
+});
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const phiFindings = findings.filter((f) => f.id === 'API-001');
+            expect(phiFindings.length).toBe(0);
+        });
+        it('should NOT flag comments or examples', async () => {
+            const file = await createTestFile('comments.ts', `
+// Example: Don't use ?ssn=123-45-6789 in URLs
+// TODO: Remove ?dob= from query params
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            const phiFindings = findings.filter((f) => f.id === 'API-001');
+            expect(phiFindings.length).toBe(0);
+        });
+    });
+    describe('Combined violations', () => {
+        it('should detect multiple API violations in same file', async () => {
+            const file = await createTestFile('bad-api.ts', `
+import cors from 'cors';
+
+app.use(cors({ origin: '*' }));
+
+app.post('/login', loginHandler);
+
+const url = \`/api/patient?ssn=\${ssn}\`;
+`);
+            const findings = await apiSecurityScanner.scan([file], scanOptions);
+            expect(findings.some((f) => f.id === 'RATE-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'CORS-001')).toBe(true);
+            expect(findings.some((f) => f.id === 'API-001')).toBe(true);
+        });
+    });
+    it('should provide correct HIPAA references', async () => {
+        const file = await createTestFile('hipaa-refs.ts', `
+app.post('/login', handler);
+app.use(cors({ origin: '*' }));
+const url = '?ssn=123';
+`);
+        const findings = await apiSecurityScanner.scan([file], scanOptions);
+        expect(findings.every((f) => f.hipaaReference?.includes('164.312'))).toBe(true);
+    });
+    it('should have correct severity levels', async () => {
+        const file = await createTestFile('severity.ts', `
+app.post('/login', handler);
+app.use(cors({ origin: '*' }));
+const url = '?ssn=123';
+`);
+        const findings = await apiSecurityScanner.scan([file], scanOptions);
+        const rate001 = findings.find((f) => f.id === 'RATE-001');
+        const cors001 = findings.find((f) => f.id === 'CORS-001');
+        const api001 = findings.find((f) => f.id === 'API-001');
+        expect(rate001?.severity).toBe('high');
+        expect(cors001?.severity).toBe('high');
+        expect(api001?.severity).toBe('high');
+    });
+});
+//# sourceMappingURL=index.test.js.map

package/dist/scanners/api-security/index.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.test.js","sourceRoot":"","sources":["../../../src/scanners/api-security/index.test.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAEhD,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,KAAK,EAAE,MAAM,IAAI,CAAC;AAEzB,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;IACpC,IAAI,OAAO,GAAW,EAAE,CAAC;IACzB,IAAI,SAAS,GAAa,EAAE,CAAC;IAE7B,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,oBAAoB,CAAC,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,UAAU;QACV,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;QACD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,SAAS,GAAG,EAAE,CAAC;IACjB,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,cAAc,CAC3B,QAAgB,EAChB,OAAe;QAEf,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC/C,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,OAAO;KACd,CAAC;IAEF,QAAQ,CAAC,uDAAuD,EAAE,GAAG,EAAE;QACrE,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;YAC/D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0DAA0D,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,UAAU,EACV;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACtE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;;;CAOP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACpE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;;;;;;CASP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,6CAA6C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACnE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;;;;;;;;;CAaP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,mCAAmC,EAAE,GAAG,EAAE;QACjD,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,SAAS,EACT;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAChD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;YAC5D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,gBAAgB,EAChB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kDAAkD,EAAE,KAAK,IAAI,EAAE;YAChE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,oBAAoB,EACpB;;;;;;CAMP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAC9D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;CAIP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;YACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sCAAsC,EAAE,GAAG,EAAE;QACpD,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC1C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YAC9C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC7C,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;YAC1C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;YACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,iBAAiB,EACjB;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACtD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,kBAAkB,EAClB;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;YACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;CAEP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;YAC7D,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,cAAc,EACd;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;YAC9C,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;;CAKP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,KAAK,IAAI,EAAE;YACpD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;CAGP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;YAC/D,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;YAClE,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,YAAY,EACZ;;;;;;;;CAQP,CACM,CAAC;YAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;YACpE,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC7D,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,eAAe,EACf;;;;CAIL,CACI,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;QACpE,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,MAAM,IAAI,GAAG,MAAM,cAAc,CAC/B,aAAa,EACb;;;;CAIL,CACI,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,WAAW,CAAC,CAAC;QAEpE,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;QAC1D,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,UAAU,CAAC,CAAC;QAC1D,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,SAAS,CAAC,CAAC;QAExD,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvC,MAAM,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/scanners/api-security/patterns.d.ts

@@ -0,0 +1,32 @@
+/**
+ * API Security Detection Patterns
+ * Detects authentication routes without rate limiting, open CORS, and PHI in URLs
+ */
+export interface ApiSecurityPattern {
+    id: string;
+    name: string;
+    description: string;
+    severity: 'high';
+    hipaaReference: string;
+    patterns: RegExp[];
+    negativePatterns?: RegExp[];
+    recommendation: string;
+    category: string;
+}
+/**
+ * RATE-001: Authentication Routes Without Rate Limiting
+ * Detects auth routes without rate limiting middleware
+ */
+export declare const AUTH_WITHOUT_RATE_LIMIT: ApiSecurityPattern;
+/**
+ * CORS-001: Open CORS Configuration
+ * Detects CORS configured with origin: "*"
+ */
+export declare const OPEN_CORS_CONFIGURATION: ApiSecurityPattern;
+/**
+ * API-001: PHI in URL Query Parameters
+ * Detects PHI data passed as URL query parameters
+ */
+export declare const PHI_IN_URL_PARAMS: ApiSecurityPattern;
+export declare const ALL_API_SECURITY_PATTERNS: ApiSecurityPattern[];
+//# sourceMappingURL=patterns.d.ts.map

package/dist/scanners/api-security/patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.d.ts","sourceRoot":"","sources":["../../../src/scanners/api-security/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,cAAc,EAAE,MAAM,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,eAAO,MAAM,uBAAuB,EAAE,kBAmDrC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,uBAAuB,EAAE,kBAqDrC,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,iBAAiB,EAAE,kBA0D/B,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,kBAAkB,EAIzD,CAAC"}

package/dist/scanners/api-security/patterns.js

@@ -0,0 +1,159 @@
+/**
+ * API Security Detection Patterns
+ * Detects authentication routes without rate limiting, open CORS, and PHI in URLs
+ */
+/**
+ * RATE-001: Authentication Routes Without Rate Limiting
+ * Detects auth routes without rate limiting middleware
+ */
+export const AUTH_WITHOUT_RATE_LIMIT = {
+    id: 'RATE-001',
+    name: 'Authentication Routes Without Rate Limiting',
+    description: 'Authentication route (/login, /signin, /auth, /register, /signup, /password-reset, /forgot-password) defined without rate limiting middleware (rateLimit, rateLimiter, throttle, slowDown, @upstash/ratelimit). Vulnerable to brute force attacks.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.312(a)(1) - Access Control',
+    patterns: [
+        // Express routes
+        /(?:app|router)\.(?:post|get|put|patch|delete|all)\s*\(\s*['"`]\/(?:api\/)?(?:auth|login|signin|register|signup|password-reset|forgot-password)/i,
+        // Next.js API routes in file path - detected separately
+        // This pattern won't match but we'll handle it in the scanner
+        // Fastify routes
+        /fastify\.(?:post|get|route)\s*\(\s*['"`]\/(?:api\/)?(?:auth|login|signin|register|signup|password-reset|forgot-password)/i,
+        // Hono routes
+        /app\.(?:post|get|put|patch|delete|all)\s*\(\s*['"`]\/(?:api\/)?(?:auth|login|signin|register|signup|password-reset|forgot-password)/i,
+        // Generic route definitions
+        /route\s*\(\s*['"`]\/(?:api\/)?(?:auth|login|signin|register|signup|password-reset|forgot-password)/i,
+    ],
+    negativePatterns: [
+        // Rate limiting middleware
+        /rateLimit/i,
+        /rateLimiter/i,
+        /rate-limit/i,
+        /throttle/i,
+        /slowDown/i,
+        /slow-down/i,
+        // Upstash rate limiting
+        /@upstash\/ratelimit/i,
+        /upstash.*limit/i,
+        // Express rate limit packages
+        /express-rate-limit/i,
+        /express-slow-down/i,
+        // Redis rate limiting
+        /redis.*limit/i,
+        // Custom rate limit implementations
+        /limitAttempts/i,
+        /checkRateLimit/i,
+        /rateLimitMiddleware/i,
+    ],
+    recommendation: 'Add rate limiting middleware to authentication routes. Example: const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 }); app.post("/login", limiter, loginHandler). Prevent brute force attacks on auth endpoints.',
+    category: 'access-control',
+};
+/**
+ * CORS-001: Open CORS Configuration
+ * Detects CORS configured with origin: "*"
+ */
+export const OPEN_CORS_CONFIGURATION = {
+    id: 'CORS-001',
+    name: 'Open CORS Configuration (origin: "*")',
+    description: 'CORS configured with origin: "*" or Access-Control-Allow-Origin: *. PHI endpoints must restrict access to trusted domains only. Exposes API to cross-origin attacks from any domain.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.312(e)(1) - Transmission Security',
+    patterns: [
+        // cors({ origin: "*" })
+        /cors\s*\(\s*\{[^}]*origin\s*:\s*['"`]\*['"`]/i,
+        // cors({ origin: '*' })
+        /cors\s*\(\s*\{[^}]*origin\s*:\s*['"`]\*['"`]/i,
+        // Access-Control-Allow-Origin: *
+        /Access-Control-Allow-Origin['"`]?\s*[,:]?\s*['"`]\*/i,
+        // setHeader('Access-Control-Allow-Origin', '*')
+        /setHeader\s*\(\s*['"`]Access-Control-Allow-Origin['"`]\s*,\s*['"`]\*['"`]/i,
+        // res.header('Access-Control-Allow-Origin', '*')
+        /\.header\s*\(\s*['"`]Access-Control-Allow-Origin['"`]\s*,\s*['"`]\*['"`]/i,
+        // response.headers.set('Access-Control-Allow-Origin', '*')
+        /headers\.set\s*\(\s*['"`]Access-Control-Allow-Origin['"`]\s*,\s*['"`]\*['"`]/i,
+    ],
+    negativePatterns: [
+        // Whitelist/allowlist of specific origins
+        /allowedOrigins/i,
+        /whitelist/i,
+        /allowlist/i,
+        /trustedOrigins/i,
+        // Environment-based origins
+        /process\.env/i,
+        /env\.[A-Z_]*ORIGIN/i,
+        /ALLOWED_ORIGIN/i,
+        // Origin validation functions
+        /validateOrigin/i,
+        /checkOrigin/i,
+        // Array of origins (specific domains)
+        /\[.*?https?:\/\//i,
+        // Public assets (non-PHI endpoints)
+        /public/i,
+        /assets/i,
+        /static/i,
+    ],
+    recommendation: 'Restrict CORS to trusted domains. Example: cors({ origin: ["https://app.example.com", "https://admin.example.com"] }) or use environment variables: cors({ origin: process.env.ALLOWED_ORIGINS.split(",") }). Never use origin: "*" for PHI endpoints.',
+    category: 'access-control',
+};
+/**
+ * API-001: PHI in URL Query Parameters
+ * Detects PHI data passed as URL query parameters
+ */
+export const PHI_IN_URL_PARAMS = {
+    id: 'API-001',
+    name: 'PHI Data in URL Query Parameters',
+    description: 'PHI data (ssn, dob, patient_name, patientName, diagnosis, medication, mrn, health_record) passed as URL query parameters (?ssn=, &dob=). URLs are logged by servers, proxies, and browsers, exposing PHI in logs.',
+    severity: 'high',
+    hipaaReference: '45 CFR §164.312(a)(1) - Access Control',
+    patterns: [
+        // Query parameter construction with PHI
+        /\?ssn=/i,
+        /&ssn=/i,
+        /\?dob=/i,
+        /&dob=/i,
+        /\?patient[-_]?name=/i,
+        /&patient[-_]?name=/i,
+        /\?patientName=/i,
+        /&patientName=/i,
+        /\?diagnosis=/i,
+        /&diagnosis=/i,
+        /\?medication=/i,
+        /&medication=/i,
+        /\?mrn=/i,
+        /&mrn=/i,
+        /\?health[-_]?record=/i,
+        /&health[-_]?record=/i,
+        // Template literals with PHI in query
+        /`[^`]*\?[^`]*(?:ssn|dob|patient[-_]?name|patientName|diagnosis|medication|mrn|health[-_]?record)=/i,
+        // URLSearchParams with PHI
+        /(?:params|searchParams|query)\.(?:append|set)\s*\(\s*['"`](?:ssn|dob|patient[-_]?name|patientName|diagnosis|medication|mrn|health[-_]?record)['"`]/i,
+    ],
+    negativePatterns: [
+        // POST request body (safe)
+        /\.post\s*\(/i,
+        /\.put\s*\(/i,
+        /\.patch\s*\(/i,
+        /body:/i,
+        /data:/i,
+        // Request body
+        /req\.body/i,
+        /request\.body/i,
+        // Comments or documentation
+        /\/\//,
+        /\/\*/,
+        /example/i,
+        /TODO/i,
+        // Test files
+        /\.test\./i,
+        /\.spec\./i,
+        /describe\(/i,
+    ],
+    recommendation: 'Never pass PHI in URL query parameters. Use POST request body instead. Example: Instead of GET /api/patient?ssn=123-45-6789, use POST /api/patient with body: { ssn: "123-45-6789" }. URLs are logged in server logs, proxy logs, and browser history.',
+    category: 'phi-exposure',
+};
+export const ALL_API_SECURITY_PATTERNS = [
+    AUTH_WITHOUT_RATE_LIMIT,
+    OPEN_CORS_CONFIGURATION,
+    PHI_IN_URL_PARAMS,
+];
+//# sourceMappingURL=patterns.js.map

package/dist/scanners/api-security/patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"patterns.js","sourceRoot":"","sources":["../../../src/scanners/api-security/patterns.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAcH;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAuB;IACzD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,6CAA6C;IACnD,WAAW,EACT,oPAAoP;IACtP,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,wCAAwC;IACxD,QAAQ,EAAE;QACR,iBAAiB;QACjB,iJAAiJ;QAEjJ,wDAAwD;QACxD,8DAA8D;QAE9D,iBAAiB;QACjB,2HAA2H;QAE3H,cAAc;QACd,sIAAsI;QAEtI,4BAA4B;QAC5B,qGAAqG;KACtG;IACD,gBAAgB,EAAE;QAChB,2BAA2B;QAC3B,YAAY;QACZ,cAAc;QACd,aAAa;QACb,WAAW;QACX,WAAW;QACX,YAAY;QAEZ,wBAAwB;QACxB,sBAAsB;QACtB,iBAAiB;QAEjB,8BAA8B;QAC9B,qBAAqB;QACrB,oBAAoB;QAEpB,sBAAsB;QACtB,eAAe;QAEf,oCAAoC;QACpC,gBAAgB;QAChB,iBAAiB;QACjB,sBAAsB;KACvB;IACD,cAAc,EACZ,4NAA4N;IAC9N,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAuB;IACzD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,uCAAuC;IAC7C,WAAW,EACT,sLAAsL;IACxL,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,+CAA+C;IAC/D,QAAQ,EAAE;QACR,wBAAwB;QACxB,+CAA+C;QAE/C,wBAAwB;QACxB,+CAA+C;QAE/C,iCAAiC;QACjC,sDAAsD;QAEtD,gDAAgD;QAChD,4EAA4E;QAE5E,iDAAiD;QACjD,2EAA2E;QAE3E,2DAA2D;QAC3D,+EAA+E;KAChF;IACD,gBAAgB,EAAE;QAChB,0CAA0C;QAC1C,iBAAiB;QACjB,YAAY;QACZ,YAAY;QACZ,iBAAiB;QAEjB,4BAA4B;QAC5B,eAAe;QACf,qBAAqB;QACrB,iBAAiB;QAEjB,8BAA8B;QAC9B,iBAAiB;QACjB,cAAc;QAEd,sCAAsC;QACtC,mBAAmB;QAEnB,oCAAoC;QACpC,SAAS;QACT,SAAS;QACT,SAAS;KACV;IACD,cAAc,EACZ,wPAAwP;IAC1P,QAAQ,EAAE,gBAAgB;CAC3B,CAAC;AAEF;;;GAGG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAuB;IACnD,EAAE,EAAE,SAAS;IACb,IAAI,EAAE,kCAAkC;IACxC,WAAW,EACT,mNAAmN;IACrN,QAAQ,EAAE,MAAM;IAChB,cAAc,EAAE,wCAAwC;IACxD,QAAQ,EAAE;QACR,wCAAwC;QACxC,SAAS;QACT,QAAQ;QACR,SAAS;QACT,QAAQ;QACR,sBAAsB;QACtB,qBAAqB;QACrB,iBAAiB;QACjB,gBAAgB;QAChB,eAAe;QACf,cAAc;QACd,gBAAgB;QAChB,eAAe;QACf,SAAS;QACT,QAAQ;QACR,uBAAuB;QACvB,sBAAsB;QAEtB,sCAAsC;QACtC,oGAAoG;QAEpG,2BAA2B;QAC3B,qJAAqJ;KACtJ;IACD,gBAAgB,EAAE;QAChB,2BAA2B;QAC3B,cAAc;QACd,aAAa;QACb,eAAe;QACf,QAAQ;QACR,QAAQ;QAER,eAAe;QACf,YAAY;QACZ,gBAAgB;QAEhB,4BAA4B;QAC5B,MAAM;QACN,MAAM;QACN,UAAU;QACV,OAAO;QAEP,aAAa;QACb,WAAW;QACX,WAAW;QACX,aAAa;KACd;IACD,cAAc,EACZ,wPAAwP;IAC1P,QAAQ,EAAE,cAAc;CACzB,CAAC;AAEF,MAAM,CAAC,MAAM,yBAAyB,GAAyB;IAC7D,uBAAuB;IACvB,uBAAuB;IACvB,iBAAiB;CAClB,CAAC"}

package/dist/scanners/authentication/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Multi-Factor Authentication (MFA) Scanner
+ * Detects missing or bypassed MFA in authentication flows
+ */
+import type { Scanner } from '../../types.js';
+export declare const authenticationScanner: Scanner;
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/authentication/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/authentication/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAwB,MAAM,gBAAgB,CAAC;AAGpE,eAAO,MAAM,qBAAqB,EAAE,OAwEnC,CAAC"}