UNPKG

agentsqripts

Version:

Comprehensive static code analysis toolkit for identifying technical debt, security vulnerabilities, performance issues, and code quality problems

github.com/Bijikyu/agentsqripts

Bijikyu/agentsqripts

91 lines (86 loc) • 3.45 kB

JavaScript

/** * @file Security vulnerability pattern definitions for automated threat detection * @description Single responsibility: Define security patterns with cross-language vulnerability detection * * This configuration module defines comprehensive security vulnerability patterns used by * the security analyzer to identify potential attack vectors, injection vulnerabilities, * and unsafe coding practices. It organizes patterns by language and vulnerability type * to enable precise security scanning across diverse technology stacks. * * Design rationale: * - Cross-language patterns enable comprehensive security coverage * - Regex-based detection balances accuracy with performance requirements * - Severity classification enables risk-based vulnerability prioritization * - Category organization helps identify systematic security weaknesses * - Language-specific patterns handle framework and syntax variations */ // Security Pattern Constants /** * Common vulnerability patterns applicable across multiple programming languages * * Pattern structure rationale: * - name: Human-readable vulnerability identifier for clear reporting * - pattern: Regex for efficient pattern matching in code analysis * - severity: Risk level (HIGH=immediate threat, MEDIUM=potential risk, LOW=best practice) * - category: Vulnerability classification for systematic security assessment * - description: Clear explanation for developers and security teams * * Cross-language security focus: * - SQL injection patterns that work across database technologies * - XSS vulnerabilities common in web applications regardless of backend * - Code injection patterns that transcend specific programming languages * - Input validation failures that appear in multiple contexts */ const COMMON_PATTERNS = [ { name: 'SQL Injection via String Concatenation', pattern: /(?:query|execute|prepare)\s*\(\s*["`'].*?SELECT.*?\+.*?["`']/i, severity: 'HIGH', category: 'Injection', description: 'SQL query built using string concatenation - use parameterized queries' }, { name: 'Unsafe innerHTML with User Data', pattern: /innerHTML\s*=\s*(?:req\.|user\.|input\.|param\.)/, severity: 'HIGH', category: 'XSS', description: 'innerHTML assignment with potential user data - sanitize input' } ]; const JAVASCRIPT_PATTERNS = [ { name: 'eval() with Dynamic User Input', pattern: /eval\s*\(\s*(?:req\.|user\.|input\.|param\.|process\.argv)/, severity: 'HIGH', category: 'Code Injection', description: 'eval() function called with potential user input' }, { name: 'Hard-coded API Keys', pattern: /(?:api[_-]?key|secret[_-]?key|access[_-]?token)\s*[=:]\s*["`'][a-zA-Z0-9]{16,}["`']/i, severity: 'HIGH', category: 'Secrets', description: 'Hard-coded API key or secret detected - use environment variables' }, { name: 'Insecure Random Generation', pattern: /Math\.random\(\)\s*\*.*(?:password|token|key|secret)/i, severity: 'MEDIUM', category: 'Cryptography', description: 'Math.random() used for security-sensitive values - use crypto.randomBytes()' } ]; const PYTHON_PATTERNS = [ { name: 'exec() Usage', pattern: /exec\s*\(/, severity: 'HIGH', category: 'Code Injection', description: 'Use of exec() function is dangerous' } ]; module.exports = { COMMON_PATTERNS, JAVASCRIPT_PATTERNS, PYTHON_PATTERNS };