| "use strict"; |
| |
| |
| |
| |
| |
| |
| var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { |
| if (k2 === undefined) k2 = k; |
| var desc = Object.getOwnPropertyDescriptor(m, k); |
| if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { |
| desc = { enumerable: true, get: function() { return m[k]; } }; |
| } |
| Object.defineProperty(o, k2, desc); |
| }) : (function(o, m, k, k2) { |
| if (k2 === undefined) k2 = k; |
| o[k2] = m[k]; |
| })); |
| var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { |
| Object.defineProperty(o, "default", { enumerable: true, value: v }); |
| }) : function(o, v) { |
| o["default"] = v; |
| }); |
| var __importStar = (this && this.__importStar) || (function () { |
| var ownKeys = function(o) { |
| ownKeys = Object.getOwnPropertyNames || function (o) { |
| var ar = []; |
| for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k; |
| return ar; |
| }; |
| return ownKeys(o); |
| }; |
| return function (mod) { |
| if (mod && mod.__esModule) return mod; |
| var result = {}; |
| if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]); |
| __setModuleDefault(result, mod); |
| return result; |
| }; |
| })(); |
| Object.defineProperty(exports, "__esModule", { value: true }); |
| exports.SECURITY_PATTERNS = void 0; |
| exports.scanFile = scanFile; |
| exports.scanFiles = scanFiles; |
| exports.getSeverityScore = getSeverityScore; |
| exports.sortBySeverity = sortBySeverity; |
| const fs = __importStar(require("fs")); |
| |
| |
| |
| exports.SECURITY_PATTERNS = [ |
| |
| { pattern: /password\s*=\s*['"][^'"]+['"]/gi, rule: 'no-hardcoded-password', severity: 'critical', message: 'Hardcoded password detected', suggestion: 'Use environment variables or secret management' }, |
| { pattern: /api[_-]?key\s*=\s*['"][^'"]+['"]/gi, rule: 'no-hardcoded-apikey', severity: 'critical', message: 'Hardcoded API key detected', suggestion: 'Use environment variables' }, |
| { pattern: /secret\s*=\s*['"][^'"]+['"]/gi, rule: 'no-hardcoded-secret', severity: 'critical', message: 'Hardcoded secret detected', suggestion: 'Use environment variables or secret management' }, |
| { pattern: /private[_-]?key\s*=\s*['"][^'"]+['"]/gi, rule: 'no-hardcoded-private-key', severity: 'critical', message: 'Hardcoded private key detected', suggestion: 'Use secure key management' }, |
| |
| { pattern: /eval\s*\(/g, rule: 'no-eval', severity: 'high', message: 'Avoid eval() - code injection risk', suggestion: 'Use safer alternatives like JSON.parse()' }, |
| { pattern: /exec\s*\(/g, rule: 'no-exec', severity: 'high', message: 'Avoid exec() - command injection risk', suggestion: 'Use execFile or spawn with args array' }, |
| { pattern: /Function\s*\(/g, rule: 'no-function-constructor', severity: 'high', message: 'Avoid Function constructor - code injection risk' }, |
| { pattern: /child_process.*exec\(/g, rule: 'no-shell-exec', severity: 'high', message: 'Shell execution detected', suggestion: 'Use execFile or spawn instead' }, |
| |
| { pattern: /SELECT\s+.*\s+FROM.*\+/gi, rule: 'sql-injection-risk', severity: 'high', message: 'Potential SQL injection - string concatenation in query', suggestion: 'Use parameterized queries' }, |
| { pattern: /`SELECT.*\$\{/gi, rule: 'sql-injection-template', severity: 'high', message: 'Template literal in SQL query', suggestion: 'Use parameterized queries' }, |
| |
| { pattern: /dangerouslySetInnerHTML/g, rule: 'xss-risk', severity: 'medium', message: 'XSS risk: dangerouslySetInnerHTML', suggestion: 'Sanitize content before rendering' }, |
| { pattern: /innerHTML\s*=/g, rule: 'no-inner-html', severity: 'medium', message: 'Avoid innerHTML - XSS risk', suggestion: 'Use textContent or sanitize content' }, |
| { pattern: /document\.write\s*\(/g, rule: 'no-document-write', severity: 'medium', message: 'Avoid document.write - XSS risk' }, |
| |
| { pattern: /\$\{.*\}/g, rule: 'template-injection', severity: 'low', message: 'Template literal detected - verify no injection' }, |
| { pattern: /new\s+RegExp\s*\([^)]*\+/g, rule: 'regex-injection', severity: 'medium', message: 'Dynamic RegExp - potential ReDoS risk', suggestion: 'Validate/sanitize regex input' }, |
| { pattern: /\.on\s*\(\s*['"]error['"]/g, rule: 'unhandled-error', severity: 'low', message: 'Error handler detected - verify proper error handling' }, |
| ]; |
| |
| |
| |
| function scanFile(filePath, content, patterns = exports.SECURITY_PATTERNS) { |
| const findings = []; |
| try { |
| const fileContent = content ?? (fs.existsSync(filePath) ? fs.readFileSync(filePath, 'utf-8') : ''); |
| if (!fileContent) |
| return findings; |
| for (const { pattern, rule, severity, message, suggestion } of patterns) { |
| const regex = new RegExp(pattern.source, pattern.flags); |
| let match; |
| while ((match = regex.exec(fileContent)) !== null) { |
| const lineNum = fileContent.slice(0, match.index).split('\n').length; |
| findings.push({ |
| file: filePath, |
| line: lineNum, |
| severity, |
| rule, |
| message, |
| match: match[0].slice(0, 50), |
| suggestion, |
| }); |
| } |
| } |
| } |
| catch { |
| |
| } |
| return findings; |
| } |
| |
| |
| |
| function scanFiles(files, patterns = exports.SECURITY_PATTERNS, maxFiles = 100) { |
| const findings = []; |
| for (const file of files.slice(0, maxFiles)) { |
| findings.push(...scanFile(file, undefined, patterns)); |
| } |
| return findings; |
| } |
| |
| |
| |
| function getSeverityScore(severity) { |
| switch (severity) { |
| case 'critical': return 4; |
| case 'high': return 3; |
| case 'medium': return 2; |
| case 'low': return 1; |
| default: return 0; |
| } |
| } |
| |
| |
| |
| function sortBySeverity(findings) { |
| return [...findings].sort((a, b) => getSeverityScore(b.severity) - getSeverityScore(a.severity)); |
| } |
| exports.default = { |
| SECURITY_PATTERNS: exports.SECURITY_PATTERNS, |
| scanFile, |
| scanFiles, |
| getSeverityScore, |
| sortBySeverity, |
| }; |
|
|
