xploitscan 0.5.0 → 0.6.0

package/dist/index.js

@@ -3365,7 +3365,350 @@ var magicNumbers = {
     return matches.slice(0, 3);
   }
 };
-var allRules = [
+var s3BucketNoEncryption = {
+  id: "VC107",
+  title: "S3 Bucket Without Encryption",
+  severity: "high",
+  category: "Infrastructure",
+  description: "AWS S3 buckets without server-side encryption leave data at rest unprotected. Enable encryption to protect sensitive data.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_s3_bucket"/.test(content)) return [];
+    const matches = [];
+    const bucketPattern = /resource\s+"aws_s3_bucket"\s+"(\w+)"/g;
+    let m;
+    while ((m = bucketPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const blockEnd = Math.min(m.index + 2e3, content.length);
+      const blockContent = content.substring(m.index, blockEnd);
+      if (!/server_side_encryption/.test(blockContent)) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC107",
+          title: s3BucketNoEncryption.title,
+          severity: "high",
+          category: "Infrastructure",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Enable S3 bucket encryption: server_side_encryption_configuration { rule { apply_server_side_encryption_by_default { sse_algorithm = 'aws:kms' } } }"
+        });
+      }
+    }
+    return matches;
+  }
+};
+var securityGroupAllInbound = {
+  id: "VC108",
+  title: "Security Group Allows All Inbound",
+  severity: "critical",
+  category: "Infrastructure",
+  description: "Security groups allowing all inbound traffic (0.0.0.0/0 on all ports) expose resources to the entire internet.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(tf|json|yaml|yml)$/)) return [];
+    const matches = [];
+    if (filePath.match(/\.tf$/)) {
+      const ingressPattern = /ingress\s*\{[^}]*cidr_blocks\s*=\s*\[\s*"0\.0\.0\.0\/0"\s*\][^}]*\}/gs;
+      let m;
+      while ((m = ingressPattern.exec(content)) !== null) {
+        if (isCommentLine(content, m.index)) continue;
+        if (/from_port\s*=\s*0/.test(m[0]) || !/from_port/.test(m[0])) {
+          const lineNum = content.substring(0, m.index).split("\n").length;
+          matches.push({
+            rule: "VC108",
+            title: securityGroupAllInbound.title,
+            severity: "critical",
+            category: "Infrastructure",
+            file: filePath,
+            line: lineNum,
+            snippet: getSnippet(content, lineNum),
+            fix: "Restrict security group ingress to specific IP ranges and ports."
+          });
+        }
+      }
+    }
+    if (filePath.match(/\.(json|yaml|yml)$/)) {
+      const cfnPattern = /AWS::EC2::SecurityGroup/g;
+      if (cfnPattern.test(content) && /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/.test(content)) {
+        matches.push(...findMatches(
+          content,
+          /CidrIp\s*:\s*["']?0\.0\.0\.0\/0/g,
+          securityGroupAllInbound,
+          filePath,
+          () => "Restrict security group ingress to specific IP ranges and ports."
+        ));
+      }
+    }
+    return matches;
+  }
+};
+var rdsPubliclyAccessible = {
+  id: "VC109",
+  title: "RDS Instance Publicly Accessible",
+  severity: "critical",
+  category: "Infrastructure",
+  description: "RDS instances with publicly_accessible = true are exposed to the internet, risking unauthorized database access.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_db_instance"/.test(content)) return [];
+    return findMatches(
+      content,
+      /publicly_accessible\s*=\s*true/g,
+      rdsPubliclyAccessible,
+      filePath,
+      () => "Set publicly_accessible = false. Access RDS through VPC private subnets."
+    );
+  }
+};
+var missingCloudTrail = {
+  id: "VC110",
+  title: "Missing CloudTrail Logging",
+  severity: "high",
+  category: "Infrastructure",
+  description: "AWS environments without CloudTrail lack audit logging of API calls, making it difficult to detect unauthorized activity.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/provider\s+"aws"/.test(content)) return [];
+    if (/aws_cloudtrail/.test(content)) return [];
+    const lineNum = content.substring(0, content.search(/provider\s+"aws"/)).split("\n").length;
+    return [{
+      rule: "VC110",
+      title: missingCloudTrail.title,
+      severity: "high",
+      category: "Infrastructure",
+      file: filePath,
+      line: lineNum,
+      snippet: getSnippet(content, lineNum),
+      fix: "Enable CloudTrail for audit logging of all AWS API calls."
+    }];
+  }
+};
+var lambdaWithoutVPC = {
+  id: "VC111",
+  title: "Lambda Without VPC",
+  severity: "medium",
+  category: "Infrastructure",
+  description: "Lambda functions not placed in a VPC lack network isolation and cannot access VPC-only resources securely.",
+  check(content, filePath) {
+    if (!filePath.match(/\.tf$/)) return [];
+    if (!/resource\s+"aws_lambda_function"/.test(content)) return [];
+    const matches = [];
+    const lambdaPattern = /resource\s+"aws_lambda_function"\s+"(\w+)"/g;
+    let m;
+    while ((m = lambdaPattern.exec(content)) !== null) {
+      if (isCommentLine(content, m.index)) continue;
+      const blockEnd = Math.min(m.index + 2e3, content.length);
+      const blockContent = content.substring(m.index, blockEnd);
+      if (!/vpc_config\s*\{/.test(blockContent)) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC111",
+          title: lambdaWithoutVPC.title,
+          severity: "medium",
+          category: "Infrastructure",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Place Lambda functions in a VPC for network isolation."
+        });
+      }
+    }
+    return matches;
+  }
+};
+var dockerLatestTag = {
+  id: "VC112",
+  title: "Docker Image Using Latest Tag",
+  severity: "high",
+  category: "Configuration",
+  description: "Using :latest or no tag in Docker FROM directives leads to non-reproducible builds and potential security regressions.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    const matches = [];
+    const fromPattern = /^FROM\s+(?!scratch)(\S+?)(?:\s+AS\s+\S+)?\s*$/gm;
+    let m;
+    while ((m = fromPattern.exec(content)) !== null) {
+      const image = m[1];
+      if (image.endsWith(":latest") || !image.includes(":") && !image.startsWith("$")) {
+        const lineNum = content.substring(0, m.index).split("\n").length;
+        matches.push({
+          rule: "VC112",
+          title: dockerLatestTag.title,
+          severity: "high",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Pin Docker image versions: FROM node:20-alpine instead of FROM node:latest"
+        });
+      }
+    }
+    return matches;
+  }
+};
+var dockerCopySensitive = {
+  id: "VC113",
+  title: "Docker COPY With Sensitive Files",
+  severity: "high",
+  category: "Configuration",
+  description: "Using COPY . . or ADD . . without a .dockerignore can leak .env files, .git history, and other sensitive data into the Docker image.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    if (!/(?:COPY|ADD)\s+\.\s+\./.test(content)) return [];
+    return findMatches(
+      content,
+      /(?:COPY|ADD)\s+\.\s+\./g,
+      dockerCopySensitive,
+      filePath,
+      () => "Use .dockerignore to exclude .env, .git, node_modules, and sensitive files from the Docker build context."
+    );
+  }
+};
+var dockerTooManyPorts = {
+  id: "VC114",
+  title: "Docker Exposing Too Many Ports",
+  severity: "medium",
+  category: "Configuration",
+  description: "Exposing many ports or wide port ranges increases the attack surface of a container.",
+  check(content, filePath) {
+    if (!filePath.match(/Dockerfile$/i)) return [];
+    const matches = [];
+    const rangePattern = /^EXPOSE\s+\d+-\d+/gm;
+    matches.push(...findMatches(
+      content,
+      rangePattern,
+      dockerTooManyPorts,
+      filePath,
+      () => "Only expose necessary ports. Each EXPOSE should have a clear purpose."
+    ));
+    const exposeLines = content.split("\n").filter((l) => /^\s*EXPOSE\s+/.test(l));
+    if (exposeLines.length > 3) {
+      const firstExpose = content.search(/^\s*EXPOSE\s+/m);
+      if (firstExpose >= 0) {
+        const lineNum = content.substring(0, firstExpose).split("\n").length;
+        matches.push({
+          rule: "VC114",
+          title: dockerTooManyPorts.title,
+          severity: "medium",
+          category: "Configuration",
+          file: filePath,
+          line: lineNum,
+          snippet: getSnippet(content, lineNum),
+          fix: "Only expose necessary ports. Each EXPOSE should have a clear purpose."
+        });
+      }
+    }
+    return matches;
+  }
+};
+var k8sSecretNotEncrypted = {
+  id: "VC115",
+  title: "Kubernetes Secret Not Encrypted",
+  severity: "high",
+  category: "Infrastructure",
+  description: "Kubernetes Secrets stored as plain base64 in manifests are not encrypted and can be trivially decoded. Use sealed-secrets or external-secrets.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(yaml|yml)$/)) return [];
+    if (!/kind\s*:\s*Secret/i.test(content)) return [];
+    if (/sealedsecrets\.bitnami\.com|external-secrets\.io/i.test(content)) return [];
+    return findMatches(
+      content,
+      /kind\s*:\s*Secret/g,
+      k8sSecretNotEncrypted,
+      filePath,
+      () => "Use sealed-secrets or external-secrets-operator. Never store plain secrets in manifests."
+    );
+  }
+};
+var k8sNoResourceLimits = {
+  id: "VC116",
+  title: "Kubernetes Pod Without Resource Limits",
+  severity: "medium",
+  category: "Infrastructure",
+  description: "Pods or deployments without resource limits can consume excessive CPU/memory, causing cluster instability.",
+  check(content, filePath) {
+    if (!filePath.match(/\.(yaml|yml)$/)) return [];
+    if (!/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i.test(content)) return [];
+    if (/resources\s*:\s*\n\s+limits\s*:/m.test(content)) return [];
+    if (/resources\s*:.*limits/i.test(content)) return [];
+    const kindMatch = content.match(/kind\s*:\s*(?:Pod|Deployment|StatefulSet|DaemonSet|Job|CronJob)/i);
+    if (!kindMatch) return [];
+    const lineNum = content.substring(0, kindMatch.index).split("\n").length;
+    return [{
+      rule: "VC116",
+      title: k8sNoResourceLimits.title,
+      severity: "medium",
+      category: "Infrastructure",
+      file: filePath,
+      line: lineNum,
+      snippet: getSnippet(content, lineNum),
+      fix: "Set resource limits to prevent pods from consuming excessive CPU/memory."
+    }];
+  }
+};
+var freeRules = [
+  hardcodedSecrets,
+  // VC001
+  exposedEnvFile,
+  // VC002
+  missingAuthMiddleware,
+  // VC003
+  supabaseNoRLS,
+  // VC004
+  stripeWebhookUnprotected,
+  // VC005
+  sqlInjection,
+  // VC006
+  xssVulnerability,
+  // VC007
+  noRateLimiting,
+  // VC008
+  corsWildcard,
+  // VC009
+  clientSideAuth,
+  // VC010
+  nextPublicSecret,
+  // VC011
+  envNotGitignored,
+  // VC014
+  evalUsage,
+  // VC015
+  unvalidatedRedirect,
+  // VC016
+  insecureCookies,
+  // VC017
+  exposedAuthSecret,
+  // VC018
+  missingCSP,
+  // VC020
+  hardcodedJWTSecret,
+  // VC031
+  missingHTTPS,
+  // VC032
+  exposedDebugMode,
+  // VC033
+  insecureRandomness,
+  // VC034
+  missingErrorBoundary,
+  // VC036
+  exposedStackTraces,
+  // VC037
+  missingLockFile,
+  // VC039
+  dangerousInnerHTML,
+  // VC063
+  consoleLogProduction,
+  // VC097
+  emptyCatchBlock,
+  // VC104
+  todoLeftInCode,
+  // VC103
+  weakHashing,
+  // VC060
+  disabledTLSVerification
+  // VC061
+];
+var proRules = [
   hardcodedSecrets,
   exposedEnvFile,
   missingAuthMiddleware,
@@ -3471,14 +3814,25 @@ var allRules = [
   todoLeftInCode,
   emptyCatchBlock,
   callbackHell,
-  magicNumbers
+  magicNumbers,
+  s3BucketNoEncryption,
+  securityGroupAllInbound,
+  rdsPubliclyAccessible,
+  missingCloudTrail,
+  lambdaWithoutVPC,
+  dockerLatestTag,
+  dockerCopySensitive,
+  dockerTooManyPorts,
+  k8sSecretNotEncrypted,
+  k8sNoResourceLimits
 ];
-function runCustomRules(content, filePath, disabledRules = []) {
+function runCustomRules(content, filePath, disabledRules = [], tier = "free") {
   const findings = [];
   if (/function runScan\(files\)|export function runCustomRules/.test(content) && /const (?:rules|allRules)\s*[:=]/.test(content) && /findMatches/.test(content)) {
     return findings;
   }
-  for (const rule of allRules) {
+  const ruleset = tier === "pro" ? proRules : freeRules;
+  for (const rule of ruleset) {
     if (disabledRules.includes(rule.id)) continue;
     const matches = rule.check(content, filePath);
     const compliance = complianceMap[rule.id];