vibecheck-ai 2.0.1 → 5.0.0

package/bin/runners/context/security-scanner.js

@@ -0,0 +1,541 @@
+/**
+ * Security Scanner Module
+ * Scans context for secrets, vulnerabilities, and sensitive data
+ * Enhanced with entropy checking and better false positive prevention
+ */
+
+const fs = require("fs");
+const path = require("path");
+const crypto = require("crypto");
+
+/**
+ * Calculate Shannon entropy of a string
+ * Higher entropy = more random = more likely to be a real secret
+ */
+function calculateEntropy(str) {
+  if (!str || str.length === 0) return 0;
+  
+  const freq = {};
+  for (const char of str) {
+    freq[char] = (freq[char] || 0) + 1;
+  }
+  
+  let entropy = 0;
+  const len = str.length;
+  for (const count of Object.values(freq)) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  
+  return entropy;
+}
+
+/**
+ * Check if a value is a known false positive
+ */
+function isFalsePositive(value, line, filePath) {
+  const lowerValue = value.toLowerCase();
+  const lowerLine = line.toLowerCase();
+  const lowerPath = filePath.toLowerCase();
+  
+  // Common placeholder/test values
+  const falsePositiveValues = [
+    'example', 'test', 'sample', 'demo', 'placeholder', 'mock', 'fake', 'dummy',
+    'your_key', 'your_secret', 'your_token', 'changeme', 'replace_me', 'xxx',
+    'password', 'password123', 'secret', 'admin', '12345', 'qwerty'
+  ];
+  
+  for (const fp of falsePositiveValues) {
+    if (lowerValue.includes(fp)) return true;
+  }
+  
+  // Repeating characters (low entropy)
+  if (/^(.)\1{5,}$/.test(value)) return true;
+  
+  // Sequential characters
+  if (/^(012|123|234|345|456|567|678|789|abc|bcd|cde)/i.test(value)) return true;
+  
+  // Test/example context
+  if (lowerLine.includes('example') || lowerLine.includes('// test')) return true;
+  if (lowerPath.includes('.test.') || lowerPath.includes('.spec.')) return true;
+  if (lowerPath.includes('__tests__') || lowerPath.includes('__mocks__')) return true;
+  if (lowerPath.includes('/fixtures/') || lowerPath.includes('/examples/')) return true;
+  
+  // Documentation context
+  if (lowerPath.endsWith('.md') || lowerPath.includes('/docs/')) return true;
+  
+  // Env template files
+  if (lowerPath.includes('.env.example') || lowerPath.includes('.env.template')) return true;
+  if (lowerPath.includes('.env.sample')) return true;
+  
+  // Type definitions
+  if (lowerLine.includes('type ') || lowerLine.includes('interface ')) return true;
+  
+  // Import statements
+  if (lowerLine.startsWith('import ') || lowerLine.includes('require(')) return true;
+  
+  return false;
+}
+
+/**
+ * Secret patterns to detect
+ * Each pattern now includes minEntropy for generic patterns
+ */
+const SECRET_PATTERNS = [
+  // API Keys - specific formats (high confidence, no entropy check needed)
+  { pattern: /AIza[0-9A-Za-z_-]{35}/, type: "Google API Key", minEntropy: 3.5 },
+  { pattern: /AKIA[0-9A-Z]{16}/, type: "AWS Access Key", minEntropy: 3.5 },
+  { pattern: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/, type: "Slack Bot Token", minEntropy: 0 },
+  { pattern: /ghp_[a-zA-Z0-9]{36}/, type: "GitHub Personal Token", minEntropy: 3.5 },
+  { pattern: /gho_[a-zA-Z0-9]{36}/, type: "GitHub OAuth Token", minEntropy: 3.5 },
+  { pattern: /sk_live_[0-9a-zA-Z]{24,}/, type: "Stripe Live Key", minEntropy: 3.5 },
+  { pattern: /pk_live_[0-9a-zA-Z]{24,}/, type: "Stripe Publishable Key", minEntropy: 0 },
+  
+  // Generic patterns - require higher entropy to avoid false positives
+  { pattern: /['"]?api[_-]?key['"]?\s*[:=]\s*['"]([^'"]{16,})['"]/, type: "API Key", minEntropy: 4.0, valueGroup: 1 },
+  { pattern: /['"]?secret[_-]?key['"]?\s*[:=]\s*['"]([^'"]{16,})['"]/, type: "Secret Key", minEntropy: 4.0, valueGroup: 1 },
+  { pattern: /['"]?password['"]?\s*[:=]\s*['"]([^'"]{8,})['"]/, type: "Password", minEntropy: 3.0, valueGroup: 1 },
+  { pattern: /['"]?auth[_-]?token['"]?\s*[:=]\s*['"]([^'"]{16,})['"]/, type: "Auth Token", minEntropy: 4.0, valueGroup: 1 },
+  { pattern: /['"]?private[_-]?key['"]?\s*[:=]\s*['"]([^'"]{20,})['"]/, type: "Private Key", minEntropy: 4.0, valueGroup: 1 },
+  
+  // Database URLs (credentials embedded)
+  { pattern: /mongodb(?:\+srv)?:\/\/([^:]+):([^@]+)@/, type: "MongoDB URL", minEntropy: 0 },
+  { pattern: /postgres(?:ql)?:\/\/([^:]+):([^@]+)@/, type: "PostgreSQL URL", minEntropy: 0 },
+  { pattern: /mysql:\/\/([^:]+):([^@]+)@/, type: "MySQL URL", minEntropy: 0 },
+  { pattern: /redis:\/\/([^:]+):([^@]+)@/, type: "Redis URL", minEntropy: 0 },
+  
+  // JWT tokens - validate structure
+  { pattern: /eyJ[A-Za-z0-9_-]{10,}\.eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/, type: "JWT Token", minEntropy: 4.0 },
+];
+
+/**
+ * Vulnerability patterns - refined to reduce false positives
+ * Each pattern now includes contextual requirements
+ */
+const VULNERABILITY_PATTERNS = [
+  // SQL Injection - require concatenation with user input indicators
+  { 
+    pattern: /(?:query|execute|raw)\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE|DROP)\s*[^'"]*\+\s*(?:req\.|user|input|param)/i, 
+    type: "SQL Injection", 
+    severity: "critical",
+    contextExclusions: ['parameterized', 'prepared', 'placeholder']
+  },
+  
+  // XSS - dangerouslySetInnerHTML only when value comes from user/external
+  { 
+    pattern: /dangerouslySetInnerHTML\s*=\s*{{\s*__html:\s*(?:props|data|user|input|param)/, 
+    type: "XSS Risk", 
+    severity: "high",
+    contextExclusions: ['sanitize', 'DOMPurify', 'escape']
+  },
+  // innerHTML with dynamic content
+  { 
+    pattern: /\.innerHTML\s*=\s*(?:[^'";\n]*\+|`[^`]*\$\{)/, 
+    type: "XSS Risk", 
+    severity: "high",
+    contextExclusions: ['sanitize', 'escape', 'encode']
+  },
+  // document.write with variables
+  { 
+    pattern: /document\.write\s*\([^)]*(?:\+|\$\{)/, 
+    type: "XSS Risk", 
+    severity: "high" 
+  },
+  
+  // Path Traversal - only flag when path comes from user input
+  { 
+    pattern: /(?:readFile|readdir|open|access)\s*\([^)]*(?:req\.|user|input|param)[^)]*\)/, 
+    type: "Path Traversal", 
+    severity: "high",
+    contextExclusions: ['path.join', 'path.resolve', 'normalize', 'sanitize']
+  },
+  
+  // Insecure Crypto - only for password/credential hashing, not checksums
+  { 
+    pattern: /(?:createHash|crypto)\s*\(\s*['"](?:md5|sha1)['"]\s*\)[^;]*(?:password|credential|secret)/i, 
+    type: "Weak Password Hash", 
+    severity: "high",
+    contextExclusions: ['checksum', 'fingerprint', 'etag', 'cache']
+  },
+  
+  // Hardcoded credentials - more specific patterns
+  { 
+    pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}['"]\s*(?:,|;|$)/, 
+    type: "Hardcoded Credentials", 
+    severity: "high",
+    contextExclusions: ['process.env', 'config.', 'example', 'test', 'placeholder']
+  },
+  
+  // Sensitive data in logs - only when logging actual variables
+  { 
+    pattern: /console\.(?:log|info|debug)\s*\([^)]*(?:password|secret|token|apiKey|auth)[^)]*\)/, 
+    type: "Sensitive Data in Log", 
+    severity: "high",
+    contextExclusions: ['masked', 'redacted', '***', '[REDACTED]']
+  },
+  
+  // Eval with dynamic content
+  {
+    pattern: /\beval\s*\([^)]*(?:\+|`\$\{|concat)/, 
+    type: "Code Injection", 
+    severity: "critical"
+  },
+  
+  // Insecure random for security purposes
+  {
+    pattern: /Math\.random\s*\(\s*\)[^;]*(?:token|secret|key|password|salt|nonce)/i,
+    type: "Insecure Random",
+    severity: "high"
+  },
+];
+
+/**
+ * Find files recursively
+ */
+function findFiles(dir, extensions, maxDepth = 5, currentDepth = 0) {
+  if (currentDepth >= maxDepth || !fs.existsSync(dir)) return [];
+  
+  const files = [];
+  try {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory() && !entry.name.startsWith(".") && entry.name !== "node_modules") {
+        files.push(...findFiles(fullPath, extensions, maxDepth, currentDepth + 1));
+      } else if (entry.isFile() && extensions.some(ext => entry.name.endsWith(ext))) {
+        files.push(fullPath);
+      }
+    }
+  } catch {}
+  return files;
+}
+
+/**
+ * Scan file for secrets with entropy checking and false positive filtering
+ */
+function scanForSecrets(content, filePath) {
+  const secrets = [];
+  const lines = content.split("\n");
+  const relativePath = path.relative(process.cwd(), filePath).replace(/\\/g, "/");
+  
+  // Skip known safe file types
+  if (/\.(md|txt|svg|png|jpg|gif|ico|woff|woff2|ttf|eot|map)$/i.test(filePath)) {
+    return secrets;
+  }
+  
+  for (const patternDef of SECRET_PATTERNS) {
+    const regex = new RegExp(patternDef.pattern.source, 'gi');
+    let match;
+    
+    while ((match = regex.exec(content)) !== null) {
+      const lineNum = content.substring(0, match.index).split("\n").length;
+      const line = lines[lineNum - 1] || '';
+      
+      // Extract the actual secret value (use valueGroup if specified)
+      const secretValue = patternDef.valueGroup !== undefined 
+        ? (match[patternDef.valueGroup] || match[0])
+        : match[0];
+      
+      // Check for false positives first
+      if (isFalsePositive(secretValue, line, filePath)) {
+        continue;
+      }
+      
+      // Check entropy if required
+      if (patternDef.minEntropy && patternDef.minEntropy > 0) {
+        const entropy = calculateEntropy(secretValue);
+        if (entropy < patternDef.minEntropy) {
+          continue; // Too low entropy, likely not a real secret
+        }
+      }
+      
+      // Additional validation for specific types
+      if (patternDef.type === "JWT Token") {
+        // Validate JWT structure
+        const parts = secretValue.split('.');
+        if (parts.length !== 3) continue;
+        // Check if header looks valid (should be base64 JSON starting with eyJ)
+        try {
+          const header = Buffer.from(parts[0], 'base64url').toString();
+          if (!header.includes('{') || !header.includes('alg')) continue;
+        } catch {
+          continue;
+        }
+      }
+      
+      secrets.push({
+        type: patternDef.type,
+        file: relativePath,
+        line: lineNum,
+        content: maskSensitiveLine(line.trim()),
+        severity: getSeverity(patternDef.type),
+        entropy: calculateEntropy(secretValue).toFixed(2),
+      });
+    }
+  }
+  
+  return secrets;
+}
+
+/**
+ * Mask sensitive values in the line for safe display
+ */
+function maskSensitiveLine(line) {
+  // Mask potential secret values (keep first 4 and last 4 chars if long enough)
+  return line.replace(/(['"])[A-Za-z0-9_\-/+=]{12,}(['"])/g, (match, q1, q2) => {
+    const inner = match.slice(1, -1);
+    if (inner.length > 12) {
+      return `${q1}${inner.slice(0, 4)}****${inner.slice(-4)}${q2}`;
+    }
+    return `${q1}****${q2}`;
+  });
+}
+
+/**
+ * Get severity based on secret type
+ */
+function getSeverity(type) {
+  const criticalTypes = [
+    "AWS Access Key", "Stripe Live Key", "GitHub Personal Token", 
+    "GitHub OAuth Token", "Private Key", "Secret Key"
+  ];
+  const highTypes = [
+    "Google API Key", "Slack Bot Token", "MongoDB URL", 
+    "PostgreSQL URL", "MySQL URL", "Redis URL", "Password", "Auth Token"
+  ];
+  
+  if (criticalTypes.includes(type)) return "critical";
+  if (highTypes.includes(type)) return "high";
+  return "medium";
+}
+
+/**
+ * Scan file for vulnerabilities with context-aware filtering
+ */
+function scanForVulnerabilities(content, filePath) {
+  const vulnerabilities = [];
+  const lines = content.split("\n");
+  const relativePath = path.relative(process.cwd(), filePath).replace(/\\/g, "/");
+  const lowerPath = relativePath.toLowerCase();
+  
+  // Skip test files for vulnerability scanning (tests often contain intentional "bad" patterns)
+  if (lowerPath.includes('.test.') || lowerPath.includes('.spec.') || 
+      lowerPath.includes('__tests__') || lowerPath.includes('__mocks__')) {
+    return vulnerabilities;
+  }
+  
+  // Skip documentation and examples
+  if (lowerPath.endsWith('.md') || lowerPath.includes('/docs/') || 
+      lowerPath.includes('/examples/')) {
+    return vulnerabilities;
+  }
+  
+  for (const patternDef of VULNERABILITY_PATTERNS) {
+    const regex = new RegExp(patternDef.pattern.source, 'gi');
+    let match;
+    
+    while ((match = regex.exec(content)) !== null) {
+      const lineNum = content.substring(0, match.index).split("\n").length;
+      const line = lines[lineNum - 1] || '';
+      const lowerLine = line.toLowerCase();
+      
+      // Check context exclusions - skip if any exclusion pattern is present
+      if (patternDef.contextExclusions) {
+        const excluded = patternDef.contextExclusions.some(exclusion => 
+          lowerLine.includes(exclusion.toLowerCase())
+        );
+        if (excluded) continue;
+      }
+      
+      // Skip if the line is a comment
+      const trimmedLine = line.trim();
+      if (trimmedLine.startsWith('//') || trimmedLine.startsWith('/*') || 
+          trimmedLine.startsWith('*') || trimmedLine.startsWith('#')) {
+        continue;
+      }
+      
+      // Skip if in a multi-line comment context
+      const beforeMatch = content.substring(0, match.index);
+      const lastCommentStart = beforeMatch.lastIndexOf('/*');
+      const lastCommentEnd = beforeMatch.lastIndexOf('*/');
+      if (lastCommentStart > lastCommentEnd) {
+        continue; // We're inside a multi-line comment
+      }
+      
+      vulnerabilities.push({
+        type: patternDef.type,
+        file: relativePath,
+        line: lineNum,
+        content: trimmedLine.substring(0, 100), // Limit line length
+        severity: patternDef.severity || "medium",
+        recommendation: getRecommendation(patternDef.type),
+      });
+    }
+  }
+  
+  return vulnerabilities;
+}
+
+/**
+ * Get recommendation for vulnerability type
+ */
+function getRecommendation(type) {
+  const recommendations = {
+    "SQL Injection": "Use parameterized queries or prepared statements. Never concatenate user input into SQL.",
+    "XSS Risk": "Sanitize user input with DOMPurify or similar. Use textContent instead of innerHTML when possible.",
+    "Path Traversal": "Validate and sanitize file paths. Use path.join() and verify paths don't escape the base directory.",
+    "Weak Password Hash": "Use bcrypt, Argon2, or scrypt for password hashing. MD5/SHA1 are cryptographically broken.",
+    "Hardcoded Credentials": "Use environment variables or a secrets manager. Never commit credentials to version control.",
+    "Sensitive Data in Log": "Remove or mask sensitive data before logging. Use structured logging with redaction.",
+    "Code Injection": "Never use eval() with user input. Consider safer alternatives like JSON.parse() or a sandboxed environment.",
+    "Insecure Random": "Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values.",
+  };
+  
+  return recommendations[type] || "Review and fix the security issue";
+}
+
+/**
+ * Scan project for security issues
+ */
+function scanProject(projectPath) {
+  const files = findFiles(projectPath, [".ts", ".tsx", ".js", ".jsx", ".json", ".env*", ".yml", ".yaml"], 5);
+  
+  const results = {
+    secrets: [],
+    vulnerabilities: [],
+    stats: {
+      totalFiles: files.length,
+      filesWithSecrets: 0,
+      filesWithVulnerabilities: 0,
+      criticalIssues: 0,
+      highIssues: 0,
+      mediumIssues: 0,
+    },
+    scanned: new Date().toISOString(),
+  };
+  
+  for (const file of files) {
+    try {
+      const content = fs.readFileSync(file, "utf-8");
+      const relativePath = path.relative(projectPath, file).replace(/\\/g, "/");
+      
+      // Skip certain files
+      if (relativePath.includes("node_modules") || 
+          relativePath.includes(".git") ||
+          relativePath.includes("dist/") ||
+          relativePath.includes("build/")) {
+        continue;
+      }
+      
+      const secrets = scanForSecrets(content, file);
+      const vulnerabilities = scanForVulnerabilities(content, file);
+      
+      if (secrets.length > 0) {
+        results.secrets.push(...secrets);
+        results.stats.filesWithSecrets++;
+      }
+      
+      if (vulnerabilities.length > 0) {
+        results.vulnerabilities.push(...vulnerabilities);
+        results.stats.filesWithVulnerabilities++;
+      }
+      
+      // Count severity
+      for (const issue of [...secrets, ...vulnerabilities]) {
+        switch (issue.severity) {
+          case "critical":
+            results.stats.criticalIssues++;
+            break;
+          case "high":
+            results.stats.highIssues++;
+            break;
+          case "medium":
+            results.stats.mediumIssues++;
+            break;
+        }
+      }
+    } catch {}
+  }
+  
+  return results;
+}
+
+/**
+ * Generate security report
+ */
+function generateSecurityReport(results) {
+  let report = `# Security Scan Report\n\n`;
+  report += `Scanned: ${new Date(results.scanned).toLocaleString()}\n`;
+  report += `Total Files: ${results.stats.totalFiles}\n\n`;
+  
+  // Summary
+  report += `## Summary\n\n`;
+  report += `- Files with Secrets: ${results.stats.filesWithSecrets}\n`;
+  report += `- Files with Vulnerabilities: ${results.stats.filesWithVulnerabilities}\n`;
+  report += `- Critical Issues: ${results.stats.criticalIssues}\n`;
+  report += `- High Issues: ${results.stats.highIssues}\n`;
+  report += `- Medium Issues: ${results.stats.mediumIssues}\n\n`;
+  
+  // Secrets
+  if (results.secrets.length > 0) {
+    report += `## 🔑 Secrets Found (${results.secrets.length})\n\n`;
+    for (const secret of results.secrets) {
+      report += `### ${secret.type} - ${secret.file}:${secret.line}\n`;
+      report += `\`\`\`\n${secret.content}\n\`\`\`\n\n`;
+    }
+  }
+  
+  // Vulnerabilities
+  if (results.vulnerabilities.length > 0) {
+    report += `## 🚨 Vulnerabilities Found (${results.vulnerabilities.length})\n\n`;
+    for (const vuln of results.vulnerabilities) {
+      const icon = vuln.severity === "critical" ? "🔴" : 
+                   vuln.severity === "high" ? "🟠" : "🟡";
+      report += `### ${icon} ${vuln.type} - ${vuln.file}:${vuln.line}\n`;
+      report += `**Severity:** ${vuln.severity}\n`;
+      report += `**Recommendation:** ${vuln.recommendation}\n\n`;
+      report += `\`\`\`\n${vuln.content}\n\`\`\`\n\n`;
+    }
+  }
+  
+  if (results.secrets.length === 0 && results.vulnerabilities.length === 0) {
+    report += `## ✅ No Security Issues Found\n\n`;
+    report += `Great job! No secrets or obvious vulnerabilities were detected.\n`;
+  }
+  
+  return report;
+}
+
+/**
+ * Filter content for safe AI consumption
+ */
+function filterForAI(content) {
+  let filtered = content;
+  
+  // Remove detected secrets
+  for (const pattern of SECRET_PATTERNS) {
+    filtered = filtered.replace(pattern.pattern, "[REDACTED_SECRET]");
+  }
+  
+  // Remove sensitive lines
+  const lines = filtered.split("\n");
+  const safeLines = lines.filter(line => {
+    const lower = line.toLowerCase();
+    return !lower.includes("password") &&
+           !lower.includes("secret") &&
+           !lower.includes("private_key") &&
+           !lower.includes("api_key") &&
+           !line.includes("console.log") &&
+           !line.includes("debugger");
+  });
+  
+  return safeLines.join("\n");
+}
+
+module.exports = {
+  scanProject,
+  generateSecurityReport,
+  filterForAI,
+  SECRET_PATTERNS,
+  VULNERABILITY_PATTERNS,
+};