xploitscan 0.4.0 → 0.5.0

package/dist/index.js

@@ -335,15 +335,21 @@ var hardcodedSecrets = {
     ];
     const matches = [];
     for (const pattern of patterns) {
-      matches.push(
-        ...findMatches(
-          content,
-          pattern,
-          hardcodedSecrets,
-          filePath,
-          () => "Move this secret to an environment variable and add it to .env (not committed to git). Use .env.example to document the required variables."
-        )
+      const rawMatches = findMatches(
+        content,
+        pattern,
+        hardcodedSecrets,
+        filePath,
+        () => "Move this secret to an environment variable and add it to .env (not committed to git). Use .env.example to document the required variables."
       );
+      for (const rm3 of rawMatches) {
+        const lineText = content.split("\n")[rm3.line - 1] || "";
+        const trimmed = lineText.trimStart();
+        if (trimmed.startsWith("//") || trimmed.startsWith("#")) continue;
+        const secretMatch = lineText.match(/[:=]\s*["'`]([^"'`]*)["'`]/);
+        if (secretMatch && secretMatch[1].length < 12) continue;
+        matches.push(rm3);
+      }
     }
     return matches;
   }
@@ -524,6 +530,7 @@ var xssVulnerability = {
   check(content, filePath) {
     if (/(?:sanitize|purify|escape|xss)/i.test(filePath)) return [];
     if (/DOMPurify\.sanitize|sanitizeHtml|xss\(|escapeHtml/i.test(content)) return [];
+    if (/(?:import|require)\s*\(?.*(?:DOMPurify|dompurify|sanitize|sanitizer)/i.test(content)) return [];
     const patterns = [
       // React dangerouslySetInnerHTML
       /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:/g,
@@ -765,6 +772,7 @@ var evalUsage = {
         const lineEnd = content.indexOf("\n", lineStart + 1);
         const lineText = content.substring(lineStart, lineEnd === -1 ? content.length : lineEnd);
         if (/devtool|source-map/i.test(lineText)) continue;
+        if (/(?:description|title|message)\s*[:=]/i.test(lineText)) continue;
         matches.push(rm3);
       }
     }
@@ -963,9 +971,9 @@ var unsanitizedHTMLExport = {
   description: "Generating HTML from user content without sanitization (e.g., DOMPurify) allows stored XSS attacks. Malicious content saved in documents could execute scripts when exported or previewed.",
   check(content, filePath) {
     if (isTestFile(filePath)) return [];
-    if (/import.*DOMPurify|require.*DOMPurify|from\s+['"]dompurify/i.test(content)) return [];
+    if (/DOMPurify|dompurify/i.test(content)) return [];
     if (filePath.match(/\.(jsx|tsx|vue|svelte)$/) && !/innerHTML|document\.write|\.html\s*=/i.test(content)) return [];
-    const hasSanitizer = /DOMPurify|sanitize|escapeHtml|escapeHTML|xss|htmlEncode|purify/i.test(content);
+    const hasSanitizer = /sanitize|escapeHtml|escapeHTML|xss|htmlEncode|purify/i.test(content);
     if (hasSanitizer) return [];
     if (!/(?:export|download|save|write|send).*(?:html|HTML)|\.innerHTML\s*=|document\.write|res\.send\s*\(/i.test(content)) return [];
     const matches = [];
@@ -1336,13 +1344,19 @@ var insecureRandomness = {
     if (!/Math\.random\s*\(\s*\)/i.test(content)) return [];
     const matches = [];
     const securityContext = /(?:token|secret|session|password|otp|nonce|salt|csrf|auth)\s*[:=]\s*.*Math\.random/gi;
-    matches.push(...findMatches(
+    const rawMatches = findMatches(
       content,
       securityContext,
       insecureRandomness,
       filePath,
       () => "Use crypto.randomUUID() or crypto.getRandomValues() for security-sensitive values. Math.random() is predictable."
-    ));
+    );
+    const nonSecurityVarNames = /(?:id|key|color|index|delay|position|size|width|height|offset|opacity|rotation|animation|random(?!.*(?:token|secret|key|password)))\s*[:=]\s*.*Math\.random/i;
+    for (const rm3 of rawMatches) {
+      const lineText = content.split("\n")[rm3.line - 1] || "";
+      if (nonSecurityVarNames.test(lineText)) continue;
+      matches.push(rm3);
+    }
     return matches;
   }
 };
@@ -1380,14 +1394,17 @@ var missingErrorBoundary = {
   category: "Configuration",
   description: "React apps without error boundaries display raw stack traces and component tree info to users when crashes occur, leaking internal details.",
   check(content, filePath) {
-    if (!filePath.match(/(?:layout|_app|main|index)\.[jt]sx?$/) || filePath.match(/App\.[jt]sx?$/)) return [];
+    const basename = filePath.split("/").pop() || "";
+    if (!/^[Aa]pp\.[jt]sx$/i.test(basename)) return [];
+    if (filePath.match(/\.ts$/)) return [];
+    if (!/<[A-Z]/.test(content)) return [];
     if (/(?:BrowserWindow|electron|ipcMain|app\.on\s*\(\s*["']ready)/i.test(content)) return [];
-    if (/(?:main\/main|main\.ts$|main\.js$)/.test(filePath) && /(?:electron|BrowserWindow)/i.test(content)) return [];
+    if (/\/main\//.test(filePath) && !/react-dom|createRoot/i.test(content)) return [];
     if (!/(?:import.*react|from\s+['"]react|require.*react)/i.test(content)) return [];
-    if (!/(?:React|react-dom|createRoot|ReactDOM|jsx|tsx)/i.test(content)) return [];
+    if (!/(?:createRoot|ReactDOM\.render)/i.test(content)) return [];
     const hasErrorBoundary = /ErrorBoundary|componentDidCatch|getDerivedStateFromError|error-boundary/i.test(content);
     if (hasErrorBoundary) return [];
-    if (/createRoot|ReactDOM\.render|<[A-Z]/i.test(content)) {
+    if (/createRoot|ReactDOM\.render/i.test(content)) {
       return [{
         rule: "VC036",
         title: missingErrorBoundary.title,
@@ -1517,13 +1534,23 @@ var ssrfVulnerability = {
     const hasValidation = /allowedHosts|allowedDomains|allowedUrls|safeDomain|whitelist|urlValidator|new URL.*hostname.*includes|isAllowedUrl|validateUrl|isValidUrl/i.test(content);
     if (hasValidation) return [];
     for (const p of patterns) {
-      matches.push(...findMatches(
+      const rawMatches = findMatches(
         content,
         p,
         ssrfVulnerability,
         filePath,
         () => "Validate URLs against an allowlist before fetching. Block internal IPs: 127.0.0.1, 10.x, 172.16-31.x, 192.168.x, 169.254.169.254 (cloud metadata). Use: const url = new URL(input); if (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error('Blocked');"
-      ));
+      );
+      for (const rm3 of rawMatches) {
+        const lineText = content.split("\n")[rm3.line - 1] || "";
+        const varMatch = lineText.match(/(?:fetch|axios\.\w+|got|request|https?\.get)\s*\(\s*(\w+)/);
+        if (varMatch) {
+          const varName = varMatch[1];
+          const constDef = new RegExp(`const\\s+${varName}\\s*=\\s*["'\`]https?://`, "i");
+          if (constDef.test(content)) continue;
+        }
+        matches.push(rm3);
+      }
     }
     return matches;
   }
@@ -1630,13 +1657,21 @@ var weakPasswordRequirements = {
     if (hasValidation) return [];
     const hasPasswordHandling = /(?:password|pwd)\s*[:=]\s*(?:req\.body|body|input|params|args)\./i.test(content);
     if (!hasPasswordHandling) return [];
-    return findMatches(
+    const rawMatches = findMatches(
       content,
       /(?:password|pwd)\s*[:=]\s*(?:req\.body|body|input|params|args)\./gi,
       weakPasswordRequirements,
       filePath,
       () => "Enforce minimum password requirements: at least 8 characters, mix of letters/numbers/symbols. Use a library like zxcvbn for strength estimation."
     );
+    const lines = content.split("\n");
+    const validationPattern = /\.length|minLength|minlength|min_length|match|test|regex|pattern|validate|schema|zxcvbn|isStrongPassword/i;
+    return rawMatches.filter((rm3) => {
+      const start = Math.max(0, rm3.line - 1 - 10);
+      const end = Math.min(lines.length, rm3.line - 1 + 10);
+      const nearby = lines.slice(start, end).join("\n");
+      return !validationPattern.test(nearby);
+    });
   }
 };
 var sessionFixation = {
@@ -1867,6 +1902,7 @@ var sensitiveLocalStorage = {
   check(content, filePath) {
     if (!filePath.match(/\.(jsx?|tsx?|vue|svelte)$/)) return [];
     if (isTestFile(filePath)) return [];
+    if (/mock|spec/i.test(filePath)) return [];
     if (!/localStorage\.setItem|localStorage\[/i.test(content)) return [];
     const matches = [];
     const patterns = [
@@ -3132,6 +3168,203 @@ var complianceMap = {
   VC095: { owasp: "A05:2021", cwe: "CWE-942" },
   VC096: { owasp: "A02:2021", cwe: "CWE-319" }
 };
+var consoleLogProduction = {
+  id: "VC097",
+  title: "Console.log Left in Production Code",
+  severity: "medium",
+  category: "Performance",
+  description: "console.log statements left in production code can leak sensitive data, slow down rendering, and clutter browser consoles.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|__tests__|fixture|\.test\.|\.spec\./i)) return [];
+    if (!/console\.log\s*\(/g.test(content)) return [];
+    const lines = content.split("\n");
+    const matches = [];
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (/console\.log\s*\(/.test(line) && !line.startsWith("//") && !line.startsWith("*") && !/if\s*\(\s*(?:debug|process\.env)/i.test(lines[Math.max(0, i - 1)] + line)) {
+        matches.push({ rule: "VC097", title: consoleLogProduction.title, severity: "medium", category: "Performance", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Remove console.log or use a logger that can be disabled in production." });
+      }
+    }
+    return matches.slice(0, 3);
+  }
+};
+var syncFileOps = {
+  id: "VC098",
+  title: "Synchronous File Operations",
+  severity: "medium",
+  category: "Performance",
+  description: "Synchronous file operations (readFileSync, writeFileSync) block the event loop, causing all other requests to wait.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|__tests__|fixture|config|\.config\./i)) return [];
+    return findMatches(
+      content,
+      /(?:readFileSync|writeFileSync|appendFileSync|mkdirSync|rmdirSync|statSync)\s*\(/g,
+      syncFileOps,
+      filePath,
+      () => "Use async file operations (readFile, writeFile) to avoid blocking the event loop."
+    );
+  }
+};
+var eventListenerLeak = {
+  id: "VC099",
+  title: "Memory Leak: Event Listener Not Cleaned Up",
+  severity: "high",
+  category: "Performance",
+  description: "Adding event listeners in React useEffect without a cleanup function causes memory leaks as listeners accumulate on re-renders.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(jsx|tsx)$/)) return [];
+    if (!/addEventListener/i.test(content)) return [];
+    if (/removeEventListener/i.test(content)) return [];
+    if (!/useEffect/i.test(content)) return [];
+    return findMatches(
+      content,
+      /addEventListener\s*\(/g,
+      eventListenerLeak,
+      filePath,
+      () => "Return a cleanup function from useEffect: useEffect(() => { window.addEventListener('resize', fn); return () => window.removeEventListener('resize', fn); }, []);"
+    );
+  }
+};
+var nPlusOneQuery = {
+  id: "VC100",
+  title: "N+1 Query Pattern Detected",
+  severity: "medium",
+  category: "Performance",
+  description: "Database queries inside loops cause N+1 performance problems \u2014 one query per iteration instead of a single batch query.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock/i)) return [];
+    const hasLoopWithQuery = /(?:for\s*\(|\.forEach\s*\(|\.map\s*\(|while\s*\()[^}]*(?:\.find\(|\.findOne\(|\.findById\(|\.query\(|\.execute\(|SELECT\s)/is.test(content);
+    if (!hasLoopWithQuery) return [];
+    return findMatches(
+      content,
+      /(?:for\s*\(|\.forEach\s*\(|\.map\s*\(|while\s*\()/g,
+      nPlusOneQuery,
+      filePath,
+      () => "Fetch all data in a single query using WHERE IN, JOIN, or batch operations instead of querying per item in a loop."
+    ).slice(0, 2);
+  }
+};
+var largeBundleImport = {
+  id: "VC101",
+  title: "Importing Entire Library (Large Bundle)",
+  severity: "medium",
+  category: "Performance",
+  description: "Importing entire libraries like lodash or moment.js adds hundreds of KB to your bundle. Import only the functions you need.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
+    const matches = [];
+    const patterns = [
+      /import\s+_\s+from\s+['"]lodash['"]/g,
+      /import\s+\*\s+as\s+_\s+from\s+['"]lodash['"]/g,
+      /import\s+moment\s+from\s+['"]moment['"]/g,
+      /const\s+_\s*=\s*require\s*\(\s*['"]lodash['"]\s*\)/g,
+      /const\s+moment\s*=\s*require\s*\(\s*['"]moment['"]\s*\)/g
+    ];
+    for (const p of patterns) {
+      matches.push(...findMatches(
+        content,
+        p,
+        largeBundleImport,
+        filePath,
+        () => "Import only what you need: import { debounce } from 'lodash/debounce'. Or switch to lighter alternatives like date-fns instead of moment."
+      ));
+    }
+    return matches;
+  }
+};
+var blockingMainThread = {
+  id: "VC102",
+  title: "Blocking Main Thread with Heavy Computation",
+  severity: "medium",
+  category: "Performance",
+  description: "Infinite loops or deeply nested iterations on the main thread freeze the UI and cause unresponsiveness.",
+  check(content, filePath) {
+    if (filePath.match(/worker|test|spec|mock/i)) return [];
+    const matches = [];
+    if (/while\s*\(\s*true\s*\)/g.test(content)) {
+      matches.push(...findMatches(
+        content,
+        /while\s*\(\s*true\s*\)/g,
+        blockingMainThread,
+        filePath,
+        () => "Avoid while(true) on the main thread. Use Web Workers for heavy computation or requestIdleCallback for non-urgent work."
+      ));
+    }
+    return matches;
+  }
+};
+var todoLeftInCode = {
+  id: "VC103",
+  title: "TODO/FIXME Left in Code",
+  severity: "low",
+  category: "Code Quality",
+  description: "TODO, FIXME, HACK, and XXX comments indicate unfinished work that should be resolved before shipping to production.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|__tests__|fixture|node_modules/i)) return [];
+    return findMatches(
+      content,
+      /\/\/\s*(?:TODO|FIXME|HACK|XXX)\b/gi,
+      todoLeftInCode,
+      filePath,
+      () => "Resolve TODO/FIXME comments before shipping. If it's intentional tech debt, track it in your issue tracker instead."
+    ).slice(0, 5);
+  }
+};
+var emptyCatchBlock = {
+  id: "VC104",
+  title: "Empty Catch Block",
+  severity: "medium",
+  category: "Code Quality",
+  description: "Empty catch blocks silently swallow errors, making bugs impossible to diagnose. At minimum, log the error.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock/i)) return [];
+    return findMatches(
+      content,
+      /catch\s*(?:\([^)]*\))?\s*\{\s*\}/g,
+      emptyCatchBlock,
+      filePath,
+      () => "Handle errors in catch blocks: catch(err) { console.error('Operation failed:', err); } or re-throw if appropriate."
+    );
+  }
+};
+var callbackHell = {
+  id: "VC105",
+  title: "Deeply Nested Callbacks (Promise Chain)",
+  severity: "medium",
+  category: "Code Quality",
+  description: "Long .then() chains or deeply nested callbacks are hard to read, debug, and maintain. Refactor to async/await.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock/i)) return [];
+    return findMatches(
+      content,
+      /\.then\s*\([^)]*\)\s*\.then\s*\([^)]*\)\s*\.then/g,
+      callbackHell,
+      filePath,
+      () => "Refactor .then() chains to async/await for cleaner, more readable code."
+    );
+  }
+};
+var magicNumbers = {
+  id: "VC106",
+  title: "Magic Numbers in Code",
+  severity: "low",
+  category: "Code Quality",
+  description: "Unnamed numeric constants in conditions or calculations make code hard to understand. Extract them into named constants.",
+  check(content, filePath) {
+    if (filePath.match(/test|spec|mock|config|\.config\.|constant|enum|migration/i)) return [];
+    if (!filePath.match(/\.(jsx?|tsx?)$/)) return [];
+    const matches = [];
+    const lines = content.split("\n");
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (line.startsWith("//") || line.startsWith("*")) continue;
+      if (/(?:===|!==|>=?|<=?)\s*\d{3,}/.test(line) || /(?:setTimeout|setInterval)\s*\([^,]+,\s*\d{4,}/.test(line)) {
+        matches.push({ rule: "VC106", title: magicNumbers.title, severity: "low", category: "Code Quality", file: filePath, line: i + 1, snippet: getSnippet(content, i + 1), fix: "Extract magic numbers into named constants: const MAX_RETRIES = 3; const TIMEOUT_MS = 5000;" });
+      }
+    }
+    return matches.slice(0, 3);
+  }
+};
 var allRules = [
   hardcodedSecrets,
   exposedEnvFile,
@@ -3228,7 +3461,17 @@ var allRules = [
   unprotectedDownload,
   commandInjection,
   corsLocalhost,
-  insecureGRPC
+  insecureGRPC,
+  consoleLogProduction,
+  syncFileOps,
+  eventListenerLeak,
+  nPlusOneQuery,
+  largeBundleImport,
+  blockingMainThread,
+  todoLeftInCode,
+  emptyCatchBlock,
+  callbackHell,
+  magicNumbers
 ];
 function runCustomRules(content, filePath, disabledRules = []) {
   const findings = [];
@@ -4060,9 +4303,19 @@ var SAFE_PATTERNS = [
   // DOCTYPE/DTD URLs
   /DTD|DOCTYPE|w3\.org|apple\.com\/DTDs/i,
   // XML namespaces
-  /xmlns|schema|xsd|xsi/i
+  /xmlns|schema|xsd|xsi/i,
+  // npm/package registry URLs
+  /^https?:\/\/registry\.npmjs\.org\//,
+  /^https?:\/\/registry\.yarnpkg\.com\//,
+  // Package integrity hashes (sha512-..., sha256-...)
+  /^sha\d+-[A-Za-z0-9+/=]+$/,
+  // Resolved package URLs (.tgz)
+  /\.tgz$/,
+  // npm resolved URLs (any registry URL with package tarball)
+  /registry.*\/-\/.*\.tgz$/
 ];
 var SKIP_FILES = /\.(css|scss|less|svg|md|txt|html?|xml|yml|yaml|toml|lock|map|woff2?|ttf|eot|ico|png|jpg|gif|webp)$/i;
+var SKIP_FILENAMES = /(?:package-lock\.json|pnpm-lock\.yaml|yarn\.lock|composer\.lock|Gemfile\.lock|Cargo\.lock|poetry\.lock|Pipfile\.lock|shrinkwrap\.json)$/i;
 var SAFE_VAR_NAMES = /(?:description|message|text|label|title|content|template|html|svg|css|style|class|query|mutation|schema|regex|pattern|format|placeholder|comment|url|path|route|endpoint|href|src|alt|name|type|version|encoding|charset)/i;
 function getSnippet3(content, line) {
   const lines = content.split("\n");
@@ -4078,6 +4331,7 @@ function scanEntropy(files) {
   const findings = [];
   for (const { path: filePath, content } of files) {
     if (SKIP_FILES.test(filePath)) continue;
+    if (SKIP_FILENAMES.test(filePath)) continue;
     if (filePath.includes("node_modules")) continue;
     if (filePath.includes(".min.")) continue;
     if (/(?:\.test\.|\.spec\.|__tests__|__mocks__|fixtures?\/)/i.test(filePath)) continue;