ctrlshiftleft/dist/utils/apiRouteAnalyzer.js

AI-powered toolkit for embedding QA and security testing into development workflows

"use strict";
/**
 * API Route Analyzer
 *
 * This module provides enhanced static analysis for API routes in various frameworks
 * including Express, Next.js API routes, and other Node.js server frameworks.
 */
Object.defineProperty(exports, "__esModule", { value: true });
exports.getAllApiPatterns = exports.GENERIC_API_PATTERNS = exports.EXPRESS_API_PATTERNS = void 0;
/**
 * Express.js specific security patterns
 */
exports.EXPRESS_API_PATTERNS = [
    // Input validation issues
    {
        pattern: /app\.(?:get|post|put|delete|patch)\s*\(\s*['"][^'"]*['"]\s*,\s*(?:async\s*)?\([^)]*\)\s*=>\s*{[^}]*req\.(?:body|query|params)[^}]*?(?!validate|sanitize|escape)/,
        severity: 'HIGH',
        title: 'Unvalidated Request Data in Express Route',
        description: 'Using request data without validation can lead to injection attacks',
        remediation: 'Use middleware like express-validator to validate all request data before processing',
        framework: ['express'],
        category: 'input-validation'
    },
    {
        pattern: /app\.use\s*\(\s*express\.json\s*\(\s*\)\s*\)[^]*?app\.use\s*\(\s*helmet\s*\(\s*\)\s*\)/,
        severity: 'MEDIUM',
        title: 'Security Middleware Order Issue',
        description: 'Using helmet middleware after parsing JSON can expose your application to certain attacks',
        remediation: 'Always use security middleware like helmet before parsing request bodies',
        framework: ['express'],
        category: 'middleware-order'
    },
    // Authentication issues
    {
        pattern: /(?:jwt|token)\.verify\s*\([^,)]*\)/,
        severity: 'HIGH',
        title: 'JWT Verification Without Options',
        description: 'JWT verification without explicit options can lead to insecure token validation',
        remediation: 'Always provide explicit options to jwt.verify including algorithms, issuer, and audience',
        framework: ['express', 'node'],
        category: 'authentication'
    },
    {
        pattern: /new\s+Session\s*\(\s*{[^}]*?(?:cookie|secure|httpOnly)[^}]*?:\s*false/,
        severity: 'CRITICAL',
        title: 'Insecure Session Configuration',
        description: 'Setting secure or httpOnly to false on cookies exposes sessions to theft and XSS attacks',
        remediation: 'Always set secure: true and httpOnly: true for session cookies in production',
        framework: ['express', 'node'],
        category: 'session-management'
    },
    // SQL Injection vulnerabilities
    {
        pattern: /(?:db|sql|conn|connection)\.query\s*\(\s*[`'"][^`'"]*\$\{[^}]*\}[^`'"]*[`'"]/,
        severity: 'CRITICAL',
        title: 'SQL Injection Vulnerability',
        description: 'Using template literals or string concatenation in SQL queries enables SQL injection attacks',
        remediation: 'Use parameterized queries or prepared statements with query placeholders (?, $1) instead of string interpolation',
        framework: ['express', 'node'],
        category: 'sql-injection'
    },
    // NoSQL Injection vulnerabilities
    {
        pattern: /(?:collection|model)\.(?:find|findOne|updateOne|deleteOne)\s*\(\s*{[^}]*\$\{[^}]*\}[^}]*\}/,
        severity: 'CRITICAL',
        title: 'NoSQL Injection Vulnerability',
        description: 'Using unvalidated user input in MongoDB queries can lead to NoSQL injection attacks',
        remediation: 'Validate and sanitize user input before using it in NoSQL queries, and use typed objects rather than string interpolation',
        framework: ['express', 'node', 'mongodb'],
        category: 'nosql-injection'
    },
    // File operation vulnerabilities
    {
        pattern: /(?:fs|FileSystem)\.(?:readFile|writeFile|appendFile|createReadStream|createWriteStream)\s*\(\s*(?:path\.(?:join|resolve)\s*\([^,)]*req\.(?:params|query|body)\.[^,)]*\)|[`'"][^`'"]*\$\{req\.(?:params|query|body)\.[^}]*\}[^`'"]*[`'"])/,
        severity: 'CRITICAL',
        title: 'Path Traversal Vulnerability',
        description: 'Using user input in file system operations without proper sanitization can lead to path traversal attacks',
        remediation: 'Validate file paths against a whitelist, use path.basename() to extract the filename only, and never use user input directly in file paths',
        framework: ['express', 'node'],
        category: 'file-operations'
    }
];
/**
 * Generic Node.js API security patterns applicable across multiple frameworks
 */
exports.GENERIC_API_PATTERNS = [
    // Server misconfiguration
    {
        pattern: /(?:res\.header|res\.setHeader)\s*\(\s*['"]X-Powered-By['"]/,
        severity: 'LOW',
        title: 'Information Disclosure in Headers',
        description: 'Setting X-Powered-By header exposes implementation details that could be useful to attackers',
        remediation: 'Remove or replace the X-Powered-By header to avoid information disclosure',
        category: 'server-config'
    },
    {
        pattern: /console\.(?:log|error|warn|info|debug)\s*\(\s*(?:req|request)\.(?:body|headers|query|cookies)/,
        severity: 'MEDIUM',
        title: 'Sensitive Data Logging',
        description: 'Logging request data can expose sensitive information and violate privacy regulations',
        remediation: 'Implement proper log sanitization to mask or remove sensitive data before logging',
        category: 'logging'
    },
    // CORS issues
    {
        pattern: /cors\s*\(\s*{[^}]*origin\s*:\s*['"][*]['"]/,
        severity: 'HIGH',
        title: 'Permissive CORS Policy',
        description: 'Setting CORS to allow all origins (*) permits any website to make requests to your API',
        remediation: 'Restrict CORS to specific trusted origins that require access to your API',
        category: 'cors'
    },
    // Secret management
    {
        pattern: /(?:apiKey|secret|password|token|pw|apiSecret|clientSecret|secretKey)\s*(?::|=)\s*['"`](?!\$\{|process\.env)[^'"`]*['"`]/i,
        severity: 'CRITICAL',
        title: 'Hardcoded Credentials',
        description: 'Credentials or secrets hardcoded in source code are easily exposed and a severe security risk',
        remediation: 'Use environment variables or a secure secret management solution instead of hardcoding secrets',
        category: 'secrets'
    },
    // Content Security Policy
    {
        pattern: /(?:helmet|csp)\s*\(\s*{[^}]*(?:contentSecurityPolicy|directives)\s*:\s*{[^}]*['"](?:default-src|script-src)['"]\s*:\s*\[[^\]]*['"][*]['"]|['"][*]['"]\s*\]/,
        severity: 'HIGH',
        title: 'Permissive Content Security Policy',
        description: 'Using wildcards (*) in CSP directives reduces the effectiveness of your security policy',
        remediation: 'Define specific sources for each CSP directive and avoid using wildcards',
        category: 'csp'
    }
];
/**
 * Combines all API security patterns into a single array
 * @param frameworks Optionally filter patterns by framework
 */
const getAllApiPatterns = (frameworks) => {
    const allPatterns = [...exports.EXPRESS_API_PATTERNS, ...exports.GENERIC_API_PATTERNS];
    if (!frameworks || frameworks.length === 0) {
        return allPatterns;
    }
    return allPatterns.filter(pattern => !pattern.framework || // Include patterns without framework specification
        pattern.framework.some(fw => frameworks.includes(fw)) // Include if any framework matches
    );
};
exports.getAllApiPatterns = getAllApiPatterns;
//# sourceMappingURL=apiRouteAnalyzer.js.map