Press n or j to go to the next uncovered block, b, p or k for the previous block.
| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | 4x 4x 4x 4x 110x 551x 551x 551x 110x 110x 4x 114x 567x 114x 5x 160x 5x 106x 106x 5x 126x 126x 126x 126x 188x 7x 7x 8x 1x 1x 1x 1x 2x 2x 2x 2x 2x 1x 1x 110x 1x 1x 1x 2x 2x 4x 2x 2x 2x 4x 3x 3x 4x 4x 4x 2007x 126x 126x 126x 126x 126x | import * as ts from 'typescript';
import { getLineAndCharacter } from './utils.js';
import type { CodeLocation, FileEntry, SuspiciousString } from './types.js';
const SECRET_PATTERNS = [
/password\s*[:=]\s*['"`]/i,
/api[_-]?key\s*[:=]\s*['"`]/i,
/secret\s*[:=]\s*['"`]/i,
/token\s*[:=]\s*['"`]/i,
/-----BEGIN.*KEY/,
/private[_-]?key\s*[:=]\s*['"`]/i,
/auth[_-]?token\s*[:=]\s*['"`]/i,
];
const SQL_KEYWORDS = /\b(SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|TRUNCATE)\b/i;
/** Strings that look like placeholders, not real secrets */
const PLACEHOLDER_PATTERN = /^(YOUR_|REPLACE_ME|<[a-z_-]+>|\$\{|{{)/i;
/** UUID pattern: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx */
const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
function isInsideRegexLiteral(node: ts.Node): boolean {
let current: ts.Node | undefined = node.parent;
while (current) {
Iif (ts.isRegularExpressionLiteral(current)) return true;
// Check if inside a new RegExp() call
Iif (ts.isNewExpression(current) && current.expression.getText(node.getSourceFile()) === 'RegExp') return true;
current = current.parent;
}
return false;
}
function isPlaceholderOrUuid(value: string): boolean {
return PLACEHOLDER_PATTERN.test(value) || UUID_PATTERN.test(value);
}
/** Skip strings inside finding metadata fields (suggestedFix, reason, impact, etc.) */
const METADATA_PROP_NAMES = new Set([
'suggestedFix', 'strategy', 'steps', 'reason', 'impact', 'expectedResult', 'title',
]);
function isInsideMetadataProperty(node: ts.Node): boolean {
let current: ts.Node | undefined = node.parent;
while (current) {
if (ts.isPropertyAssignment(current) && ts.isIdentifier(current.name)) {
if (METADATA_PROP_NAMES.has(current.name.text)) return true;
}
current = current.parent;
}
return false;
}
function computeShannonEntropy(s: string): number {
const freq = new Map<string, number>();
for (const ch of s) freq.set(ch, (freq.get(ch) || 0) + 1);
let entropy = 0;
for (const count of freq.values()) {
const p = count / s.length;
Eif (p > 0) entropy -= p * Math.log2(p);
}
return entropy;
}
export function collectSecurityData(sourceFile: ts.SourceFile, fileRelative: string, fileEntry: FileEntry): void {
const evalUsages: CodeLocation[] = [];
const unsafeHtmlAssignments: CodeLocation[] = [];
const suspiciousStrings: SuspiciousString[] = [];
const regexLiterals: Array<{ lineStart: number; lineEnd: number; pattern: string }> = [];
const visit = (node: ts.Node): void => {
if (ts.isCallExpression(node)) {
const text = node.expression.getText(sourceFile);
if (text === 'eval' || text === 'Function') {
const loc = getLineAndCharacter(sourceFile, node);
evalUsages.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
if (text === 'new Function') {
const loc = getLineAndCharacter(sourceFile, node);
evalUsages.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
if ((text === 'setTimeout' || text === 'setInterval') && node.arguments.length > 0) {
const firstArg = node.arguments[0];
if (ts.isStringLiteral(firstArg) || ts.isNoSubstitutionTemplateLiteral(firstArg)) {
const loc = getLineAndCharacter(sourceFile, node);
evalUsages.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
}
if (text === 'document.write' || text === 'document.writeln') {
const loc = getLineAndCharacter(sourceFile, node);
unsafeHtmlAssignments.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
}
if (ts.isNewExpression(node) && node.expression.getText(sourceFile) === 'Function') {
const loc = getLineAndCharacter(sourceFile, node);
evalUsages.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
if (ts.isBinaryExpression(node) && node.operatorToken.kind === ts.SyntaxKind.EqualsToken) {
if (ts.isPropertyAccessExpression(node.left)) {
const prop = node.left.name.getText(sourceFile);
if (prop === 'innerHTML' || prop === 'outerHTML') {
const loc = getLineAndCharacter(sourceFile, node);
unsafeHtmlAssignments.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
}
}
if (ts.isJsxAttribute(node) && node.name.getText(sourceFile) === 'dangerouslySetInnerHTML') {
const loc = getLineAndCharacter(sourceFile, node);
unsafeHtmlAssignments.push({ file: fileRelative, lineStart: loc.lineStart, lineEnd: loc.lineEnd });
}
if (ts.isStringLiteral(node) || ts.isNoSubstitutionTemplateLiteral(node)) {
if (!isInsideMetadataProperty(node) && !isInsideRegexLiteral(node)) {
const value = node.text;
if (!isPlaceholderOrUuid(value)) {
for (const pattern of SECRET_PATTERNS) {
if (pattern.test(value)) {
const loc = getLineAndCharacter(sourceFile, node);
suspiciousStrings.push({ lineStart: loc.lineStart, lineEnd: loc.lineEnd, kind: 'hardcoded-secret', snippet: value.slice(0, 40), context: 'literal' });
break;
}
}
if (value.length >= 20 && computeShannonEntropy(value) > 4.5) {
const loc = getLineAndCharacter(sourceFile, node);
suspiciousStrings.push({ lineStart: loc.lineStart, lineEnd: loc.lineEnd, kind: 'hardcoded-secret', context: 'literal' });
}
}
}
}
if (ts.isRegularExpressionLiteral(node)) {
// Tag regex-definition context for strings inside regex that match secret patterns
const regexText = node.getText(sourceFile);
for (const pattern of SECRET_PATTERNS) {
if (pattern.test(regexText)) {
// This is a regex that mentions secret keywords — NOT a real secret
// Mark as regex-definition so the detector can skip it
const loc = getLineAndCharacter(sourceFile, node);
suspiciousStrings.push({ lineStart: loc.lineStart, lineEnd: loc.lineEnd, kind: 'hardcoded-secret', snippet: regexText.slice(0, 40), context: 'regex-definition' });
break;
}
}
}
if (ts.isTemplateExpression(node)) {
if (!isInsideMetadataProperty(node)) {
const fullText = node.getText(sourceFile);
if (SQL_KEYWORDS.test(fullText) && node.templateSpans.length > 0) {
const loc = getLineAndCharacter(sourceFile, node);
suspiciousStrings.push({ lineStart: loc.lineStart, lineEnd: loc.lineEnd, kind: 'sql-injection', snippet: fullText.slice(0, 60) });
}
}
}
if (ts.isRegularExpressionLiteral(node)) {
const pattern = node.text;
const loc = getLineAndCharacter(sourceFile, node);
regexLiterals.push({ lineStart: loc.lineStart, lineEnd: loc.lineEnd, pattern });
}
ts.forEachChild(node, visit);
};
ts.forEachChild(sourceFile, visit);
fileEntry.evalUsages = evalUsages;
fileEntry.unsafeHtmlAssignments = unsafeHtmlAssignments;
fileEntry.suspiciousStrings = suspiciousStrings;
fileEntry.regexLiterals = regexLiterals;
}
|