xploitscan-shared-rules 1.8.1 → 1.10.0

package/README.md

@@ -6,7 +6,7 @@ This package is the source of truth for XploitScan's detection logic. It's consu
 
 ## What's in here
 
-- **206 security rules** — pattern + AST-based detection for hardcoded secrets, SQL injection, XSS, SSRF, prototype pollution, crypto misuse, deserialization, JWT alg confusion, and more.
+- **210 security rules** — pattern + AST-based detection for hardcoded secrets, SQL injection, XSS, SSRF, prototype pollution, crypto misuse, deserialization, JWT alg confusion, and more.
 - **Compliance mappings** — each rule tagged with the SOC2, ISO 27001, and OWASP Top 10 controls it covers.
 - **AI false-positive filter** — optional Claude Haiku integration that re-evaluates findings to suppress benign matches before reporting.
 - **Entropy-based secret scanner** — detects high-entropy strings that look like credentials but don't match a known service-key pattern.

package/dist/index.cjs

@@ -594,8 +594,140 @@ var TAINTED_REQUEST_OBJECTS = /* @__PURE__ */ new Set([
   "event"
   // Lambda
 ]);
+var FS_READ_METHODS = /* @__PURE__ */ new Set(["readFile", "readFileSync"]);
+var PARSE_OBJECTS = /* @__PURE__ */ new Set([
+  "JSON",
+  "csv",
+  "papa",
+  "Papa",
+  "yaml",
+  "YAML",
+  "toml",
+  "qs",
+  "querystring"
+]);
+var PARSE_BARE = /* @__PURE__ */ new Set(["parse", "parseSync"]);
+var ARRAY_ELEMENT_METHODS = /* @__PURE__ */ new Set([
+  "map",
+  "filter",
+  "forEach",
+  "find",
+  "findIndex",
+  "flatMap",
+  "some",
+  "every"
+]);
+var ARRAY_REDUCE_METHODS = /* @__PURE__ */ new Set(["reduce", "reduceRight"]);
+function callPreservesTaint(node, rec) {
+  const callee = node.callee;
+  const anyArgTainted = () => node.arguments.some((a) => a.type !== "SpreadElement" && rec(a));
+  if (callee.type === "MemberExpression" && callee.property.type === "Identifier") {
+    const pname = callee.property.name;
+    if (FS_READ_METHODS.has(pname)) return anyArgTainted();
+    if (pname === "parse" || pname === "parseSync") {
+      const obj = callee.object;
+      if (obj.type === "Identifier" && PARSE_OBJECTS.has(obj.name)) return anyArgTainted();
+    }
+  }
+  if (callee.type === "Identifier") {
+    if (FS_READ_METHODS.has(callee.name)) return anyArgTainted();
+    if (PARSE_BARE.has(callee.name)) return anyArgTainted();
+  }
+  return false;
+}
+function isParamDerived(n, p) {
+  if (!n) return false;
+  if (n.type === "Identifier") return n.name === p;
+  if (n.type === "MemberExpression") return isParamDerived(n.object, p);
+  return false;
+}
+function formattedFlow(n, p) {
+  if (!n) return false;
+  switch (n.type) {
+    case "TemplateLiteral":
+      return n.expressions.some(
+        (e) => isParamDerived(e, p) || formattedFlow(e, p)
+      );
+    case "BinaryExpression":
+      if (n.operator !== "+") return false;
+      return isParamDerived(n.left, p) || isParamDerived(n.right, p) || formattedFlow(n.left, p) || formattedFlow(n.right, p);
+    case "ObjectExpression":
+      return n.properties.some(
+        (pr) => pr.type === "SpreadElement" && isParamDerived(pr.argument, p)
+      );
+    case "ArrayExpression":
+      return n.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isParamDerived(el.argument, p)
+      );
+    case "ConditionalExpression":
+      return formattedFlow(n.consequent, p) || formattedFlow(n.alternate, p);
+    case "AwaitExpression":
+      return formattedFlow(n.argument, p);
+    default:
+      return false;
+  }
+}
+function collectReturnArgs(fn) {
+  const out = [];
+  if (fn.type === "ArrowFunctionExpression" && fn.body.type !== "BlockStatement") {
+    out.push(fn.body);
+    return out;
+  }
+  const visit = (n) => {
+    if (!n || typeof n !== "object") return;
+    const node = n;
+    if (typeof node.type !== "string") return;
+    if (node.type === "ReturnStatement") {
+      const arg = node.argument;
+      if (arg) out.push(arg);
+      return;
+    }
+    if (node.type === "FunctionDeclaration" || node.type === "FunctionExpression" || node.type === "ArrowFunctionExpression") {
+      return;
+    }
+    for (const key of Object.keys(node)) {
+      const v = node[key];
+      if (Array.isArray(v)) v.forEach(visit);
+      else visit(v);
+    }
+  };
+  visit(fn.body);
+  return out;
+}
+function computePassthrough(fn) {
+  const params = fn.params ?? [];
+  const returns = collectReturnArgs(fn);
+  const out = /* @__PURE__ */ new Set();
+  for (let i = 0; i < params.length; i++) {
+    const param = params[i];
+    if (param.type !== "Identifier") continue;
+    const name = param.name;
+    if (returns.some((r) => formattedFlow(r, name))) out.add(i);
+  }
+  return out;
+}
 function buildTaintMap(parsed) {
   const tainted = /* @__PURE__ */ new Set();
+  function markPatternTainted(target) {
+    if (target.type === "Identifier") {
+      tainted.add(target.name);
+    } else if (target.type === "ObjectPattern") {
+      for (const prop of target.properties) {
+        if (prop.type === "ObjectProperty" && prop.value.type === "Identifier") {
+          tainted.add(prop.value.name);
+        } else if (prop.type === "RestElement" && prop.argument.type === "Identifier") {
+          tainted.add(prop.argument.name);
+        }
+      }
+    } else if (target.type === "ArrayPattern") {
+      for (const el of target.elements) {
+        if (el && el.type === "Identifier") tainted.add(el.name);
+        else if (el && el.type === "RestElement" && el.argument.type === "Identifier") {
+          tainted.add(el.argument.name);
+        }
+      }
+    }
+  }
   function reachesRequestIdent(node) {
     if (!node) return false;
     if (node.type === "Identifier") return TAINTED_REQUEST_OBJECTS.has(node.name);
@@ -666,6 +798,8 @@ function buildTaintMap(parsed) {
     }
     if (node.type === "CallExpression") {
       if (nodeIsTaintedSource(node)) return true;
+      if (callPreservesTaint(node, exprIsTainted)) return true;
+      if (localCallPropagates(node, exprIsTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (exprIsTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -686,8 +820,46 @@ function buildTaintMap(parsed) {
     if (node.type === "AwaitExpression") {
       return exprIsTainted(node.argument);
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && exprIsTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && exprIsTainted(p.argument)
+      );
+    }
     return false;
   }
+  const fnPassthrough = /* @__PURE__ */ new Map();
+  const recordFn = (name, fn) => {
+    const pt = computePassthrough(fn);
+    if (pt.size > 0) fnPassthrough.set(name, pt);
+  };
+  traverse(parsed.ast, {
+    FunctionDeclaration(path) {
+      const n = path.node;
+      if (n.type === "FunctionDeclaration" && n.id && n.id.type === "Identifier") {
+        recordFn(n.id.name, n);
+      }
+    },
+    VariableDeclarator(path) {
+      const n = path.node;
+      if (n.type !== "VariableDeclarator" || n.id.type !== "Identifier" || !n.init) return;
+      if (n.init.type === "ArrowFunctionExpression" || n.init.type === "FunctionExpression") {
+        recordFn(n.id.name, n.init);
+      }
+    }
+  });
+  function localCallPropagates(node, rec) {
+    if (node.callee.type !== "Identifier") return false;
+    const pt = fnPassthrough.get(node.callee.name);
+    if (!pt) return false;
+    return node.arguments.some(
+      (a, i) => pt.has(i) && a.type !== "SpreadElement" && rec(a)
+    );
+  }
   traverse(parsed.ast, {
     VariableDeclarator(path) {
       const node = path.node;
@@ -720,6 +892,32 @@ function buildTaintMap(parsed) {
       if (exprIsTainted(node.right)) {
         tainted.add(node.left.name);
       }
+    },
+    // for (const row of <tainted>) → row tainted (and destructured names).
+    ForOfStatement(path) {
+      const node = path.node;
+      if (node.type !== "ForOfStatement") return;
+      if (!exprIsTainted(node.right)) return;
+      const decl = node.left;
+      const target = decl.type === "VariableDeclaration" && decl.declarations[0] ? decl.declarations[0].id : decl;
+      markPatternTainted(target);
+    },
+    // Array-iteration element taint: <tainted>.map((row) => …) marks `row`
+    // tainted inside the callback. Gated on the receiver already being
+    // tainted, so this never originates taint.
+    CallExpression(path) {
+      const node = path.node;
+      if (node.type !== "CallExpression") return;
+      const callee = node.callee;
+      if (callee.type !== "MemberExpression" || callee.property.type !== "Identifier") return;
+      const method = callee.property.name;
+      const isReduce = ARRAY_REDUCE_METHODS.has(method);
+      if (!ARRAY_ELEMENT_METHODS.has(method) && !isReduce) return;
+      if (!exprIsTainted(callee.object)) return;
+      const cb = node.arguments[0];
+      if (!cb || cb.type !== "ArrowFunctionExpression" && cb.type !== "FunctionExpression") return;
+      const elemParam = cb.params[isReduce ? 1 : 0];
+      if (elemParam) markPatternTainted(elemParam);
     }
   });
   const isTainted = (node) => {
@@ -745,6 +943,8 @@ function buildTaintMap(parsed) {
       return isTainted(node.object);
     }
     if (node.type === "CallExpression") {
+      if (callPreservesTaint(node, isTainted)) return true;
+      if (localCallPropagates(node, isTainted)) return true;
       if (node.callee.type === "MemberExpression") {
         if (isTainted(node.callee.object)) return true;
         const obj = node.callee.object;
@@ -762,6 +962,16 @@ function buildTaintMap(parsed) {
         }
       }
     }
+    if (node.type === "ArrayExpression") {
+      return node.elements.some(
+        (el) => el != null && el.type === "SpreadElement" && isTainted(el.argument)
+      );
+    }
+    if (node.type === "ObjectExpression") {
+      return node.properties.some(
+        (p) => p.type === "SpreadElement" && isTainted(p.argument)
+      );
+    }
     return false;
   };
   return {