unsafe route checker

Author: slowcoder360

README.md

@@ -8,6 +8,9 @@ VibeSafe helps developers quickly check their projects for common security issue
 
 *   **Secret Scanning:** Detects potential secrets (API keys, credentials) using regex patterns and entropy analysis.
 *   **Dependency Scanning:** Parses package manifests (currently `package.json`) and checks dependencies against the OSV.dev vulnerability database.
+*   **Configuration Scanning:** Checks configuration files (JSON, YAML) for common insecure settings (e.g., `DEBUG=true`, permissive CORS).
+*   **Unvalidated Upload Detection:** Identifies potential missing file size/type restrictions in common upload libraries (e.g., `multer`, `formidable`) and generic patterns (`FormData`, `<input type="file">`).
+*   **Exposed Endpoint Detection:** Flags potentially sensitive endpoints (e.g., `/admin`, `/debug`, `/status`) based on common patterns.
 *   **Multiple Output Formats:** Provides results via console output (with colors!), JSON (`--output`), or a Markdown report (`--report`).
 *   **AI-Powered Suggestions (Optional):** Generates fix suggestions in the Markdown report using OpenAI (requires API key).
 *   **Filtering:** Focus on high-impact issues using `--high-only`.
@@ -45,7 +48,11 @@ vibesafe scan -o scan-results.json
 **Generate Markdown Report:**
 
 ```bash
-vibesafe scan -r scan-report.md
+# Generate report with a specific name
+vibesafe scan -r my-report.md
+
+# Generate report with the default name (VIBESAFE-REPORT.md in the scanned directory)
+vibesafe scan -r 
 ```
 
 **Generate AI Report (Requires API Key):**
@@ -59,7 +66,11 @@ To generate fix suggestions in the Markdown report, you need an OpenAI API key.
     ```
 3.  Run the scan with the report flag:
     ```bash
-    vibesafe scan -r ai-report.md
+    # Use default name VIBESAFE-REPORT.md
+    vibesafe scan -r
+
+    # Or specify a name
+    vibesafe scan -r vibesafe-ai-report.md 
     ```
 
 **Show Only High/Critical Issues:**
@@ -72,7 +83,7 @@ vibesafe scan --high-only
 
 Create a `.vibesafeignore` file in the root of the directory being scanned. Add file paths or glob patterns (one per line) to exclude them from the scan. The syntax is the same as `.gitignore`.
 
-**Example `.vibesafeignore`:**
+**Example `.vibesafeignore**:**
 
 ```
 # Ignore all test data

instructions.md

@@ -93,18 +93,15 @@
 
 ### Phase 6: Additional Common Checks
 1. **Insecure Default Configurations**  
-   - [ ] Scan config files (JSON/YAML) for flags like `DEBUG=true`, `devMode`, or permissive CORS (`*` origins)  
+   - [x] Scan config files (JSON/YAML) for flags like `DEBUG=true`, `devMode`, or permissive CORS (`*` origins)  
 2. **Unvalidated File Uploads**  
-   - [ ] Detect code handling file uploads (e.g., multer, busboy) without size/type restrictions  
+   - [x] Detect code handling file uploads (e.g., multer, busboy, formidable, express-fileupload, generic patterns) without size/type restrictions  
 3. **Exposed Debug/Admin Endpoints**  
-   - [ ] Search for routes named `/debug`, `/admin`, `/console`  
-   - [ ] Flag those without authentication or middleware checks  
+   - [x] Search for routes named `/debug`, `/admin`, `/status`, `/info`, etc. using framework patterns or string literals
+   - [ ] Flag those without authentication or middleware checks // (Future enhancement - complex)
 4. **Lack of Rate‑Limiting**  
    - [ ] Identify HTTP handlers or clients missing rate‑limiter middleware (e.g., express-rate-limit)  
-   - [ ] Flag missing throttle/retry settings in HTTP client code  
-5. **Insufficient Logging & Error Sanitization**  
-   - [ ] Find logging of full error objects or stack traces (e.g., `console.error(err)`)  
-   - [ ] Detect logging of PII or sensitive data in plain text  
+   - [ ] Flag missing throttle/retry settings in HTTP client code
 
 ## 6. Risks & Mitigations
 
@@ -124,4 +121,4 @@
 **Next Steps:**  
 1. Tackle Phase 6 atomic tasks in order.  
 2. Validate each check against representative repos.  
-3. Prepare to expand into “Most Dangerous” vulnerability scans once Phase 6 is done.  
+3. Prepare to expand into "Most Dangerous" vulnerability scans once Phase 6 is done.  

package.json

@@ -25,11 +25,13 @@
     "typescript": "^5.8.3"
   },
   "dependencies": {
+    "@types/js-yaml": "^4.0.9",
     "axios": "^1.8.4",
     "chalk": "^4.1.2",
     "commander": "^13.1.0",
     "dotenv": "^16.5.0",
     "ignore": "^7.0.3",
+    "js-yaml": "^4.1.0",
     "openai": "^4.95.0",
     "ora": "^5.4.1"
   }

src/index.ts

@@ -11,11 +11,14 @@ import { generateMarkdownReport } from './reporting/markdown';
 import path from 'path';
 import fs from 'fs';
 import chalk from 'chalk';
+import { scanConfigFile, ConfigFinding } from './scanners/configuration';
+import { scanForUnvalidatedUploads, UploadFinding } from './scanners/uploads';
+import { scanForExposedEndpoints, EndpointFinding } from './scanners/endpoints';
 
 // Define a combined finding type if needed later
 
 // Helper for coloring severities
-function colorSeverity(severity: FindingSeverity | SecretFinding['severity']): string {
+function colorSeverity(severity: FindingSeverity | SecretFinding['severity'] | UploadFinding['severity']): string {
     switch (severity) {
         case 'Critical': return chalk.red.bold(severity);
         case 'High': return chalk.red(severity);
@@ -37,7 +40,7 @@ program.command('scan')
   .description('Scan a directory for potential security issues.')
   .argument('[directory]', 'Directory to scan', '.')
   .option('-o, --output <file>', 'Specify JSON output file path (e.g., report.json)')
-  .option('-r, --report <file>', 'Specify Markdown report file path (e.g., report.md)')
+  .option('-r, --report [file]', 'Specify Markdown report file path (defaults to VIBESAFE-REPORT.md)')
   .option('--high-only', 'Only report high severity issues')
   .action(async (directory, options) => {
     const rootDir = path.resolve(directory);
@@ -46,10 +49,21 @@ program.command('scan')
       console.log('(--high-only flag detected)');
     }
     if (options.output) {
-      console.log(`Output will be written to: ${options.output}`);
+      console.log(`JSON output will be written to: ${options.output}`);
     }
-    if (options.report) {
-        console.log(`Markdown report will be written to: ${options.report}`);
+    
+    // Determine report path based on options
+    let reportPath: string | null = null;
+    if (options.report) { // Check if -r or --report was used
+        if (typeof options.report === 'string') {
+            // User provided a specific filename
+            reportPath = path.resolve(options.report);
+            console.log(`Markdown report will be written to: ${reportPath}`);
+        } else {
+            // User used the flag without a filename, use default
+            reportPath = path.join(rootDir, 'VIBESAFE-REPORT.md');
+            console.log(`Markdown report will be written to default location: ${reportPath}`);
+        }
     }
 
     // --- Moved: Check .gitignore Status --- 
@@ -59,9 +73,13 @@ program.command('scan')
     // --- Findings Aggregation ---
     let allSecretFindings: SecretFinding[] = [];
     let allDependencyFindings: DependencyFinding[] = [];
+    let allConfigFindings: ConfigFinding[] = [];
+    let allUploadFindings: UploadFinding[] = [];
+    let allEndpointFindings: EndpointFinding[] = [];
 
     // --- File Traversal (Phase 2.2) ---
     const filesToScan = getFilesToScan(directory);
+    const configFilesToScan = filesToScan.filter(f => /\.(json|ya?ml)$/i.test(f));
 
     // --- Detect Package Manager (Phase 3.1) ---
     const detectedManagers = detectPackageManagers(filesToScan, rootDir);
@@ -93,6 +111,48 @@ program.command('scan')
         console.log('Skipping CVE lookup as no dependencies were parsed.');
     }
 
+    // --- Configuration Scan (Phase 6.1) ---
+    console.log(`Scanning ${configFilesToScan.length} potential config files...`);
+    configFilesToScan.forEach(filePath => {
+        const findings = scanConfigFile(filePath);
+        const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
+        allConfigFindings = allConfigFindings.concat(relativeFindings);
+    });
+
+    // --- Upload Scan (Phase 6.2) ---
+    // Define file extensions relevant for upload checks
+    const UPLOAD_SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx', '.vue', '.html']);
+    const filesForUploadScan = filesToScan.filter(f => UPLOAD_SCAN_EXTENSIONS.has(path.extname(f).toLowerCase()));
+    console.log(`Scanning ${filesForUploadScan.length} files for potential upload issues...`);
+    filesForUploadScan.forEach(filePath => {
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const findings = scanForUnvalidatedUploads(filePath, content);
+            const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
+            allUploadFindings = allUploadFindings.concat(relativeFindings);
+        } catch (error: any) {
+            // Avoid crashing if a single file fails (e.g., read permission)
+            console.warn(chalk.yellow(`Could not scan ${path.relative(rootDir, filePath)} for uploads: ${error.message}`));
+        }
+    });
+
+    // --- Endpoint Scan (Phase 6.3) ---
+    // Define file extensions relevant for endpoint checks (JS/TS files)
+    const ENDPOINT_SCAN_EXTENSIONS = new Set(['.js', '.ts', '.jsx', '.tsx']);
+    const filesForEndpointScan = filesToScan.filter(f => ENDPOINT_SCAN_EXTENSIONS.has(path.extname(f).toLowerCase()));
+    console.log(`Scanning ${filesForEndpointScan.length} files for potentially exposed endpoints...`);
+    filesForEndpointScan.forEach(filePath => {
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const findings = scanForExposedEndpoints(filePath, content);
+            const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
+            allEndpointFindings = allEndpointFindings.concat(relativeFindings);
+        } catch (error: any) {
+            // Avoid crashing if a single file fails (e.g., read permission)
+            console.warn(chalk.yellow(`Could not scan ${path.relative(rootDir, filePath)} for endpoints: ${error.message}`));
+        }
+    });
+
     // Separate Info findings
     const infoSecretFindings = allSecretFindings.filter(f => f.severity === 'Info');
     const standardSecretFindings = allSecretFindings.filter(f => f.severity !== 'Info');
@@ -106,13 +166,31 @@ program.command('scan')
       ? allDependencyFindings.filter(dep => (dep.maxSeverity === 'High' || dep.maxSeverity === 'Critical')) // Exclude errors when highOnly
       : allDependencyFindings.filter(dep => dep.vulnerabilities.length > 0 || dep.error);
 
+    // Filter config findings based on high-only flag if needed (e.g., only High CORS)
+    const reportConfigFindings = options.highOnly
+      ? allConfigFindings.filter(f => f.severity === 'High' || f.severity === 'Critical')
+      : allConfigFindings;
+
+    // Filter upload findings (adjust severity filtering as needed)
+    const reportUploadFindings = options.highOnly
+      ? allUploadFindings.filter(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium') // Example: Include Medium for uploads even with --high-only?
+      : allUploadFindings;
+
+    // Filter endpoint findings (e.g., keep Medium+ for high-only)
+    const reportEndpointFindings = options.highOnly
+        ? allEndpointFindings.filter(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium') 
+        : allEndpointFindings;
+
     // --- NOW Check Gitignore Status --- 
     gitignoreWarnings = checkGitignoreStatus(rootDir);
 
     // --- Output Generation ---
     const reportData = { 
-        secretFindings: reportSecretFindings, // Report only standard secrets
-        dependencyFindings: reportDependencyFindings 
+        secretFindings: reportSecretFindings, 
+        dependencyFindings: reportDependencyFindings, 
+        configFindings: reportConfigFindings,
+        uploadFindings: reportUploadFindings,
+        endpointFindings: reportEndpointFindings
     };
 
     // Generate JSON if requested
@@ -121,6 +199,9 @@ program.command('scan')
             const outputJsonData = {
                 secrets: reportSecretFindings,
                 dependencies: reportDependencyFindings,
+                configuration: reportConfigFindings,
+                uploads: reportUploadFindings,
+                endpoints: reportEndpointFindings
             }
             fs.writeFileSync(options.output, JSON.stringify(outputJsonData, null, 2));
             console.log(`JSON results successfully written to ${options.output}`);
@@ -131,19 +212,19 @@ program.command('scan')
     }
 
     // Generate Markdown Report if requested
-    if (options.report) {
+    if (reportPath) { 
         try {
             // Await the async report generation
             const markdownContent = await generateMarkdownReport(reportData); 
-            fs.writeFileSync(options.report, markdownContent);
-            console.log(`Markdown report successfully written to ${options.report}`);
+            fs.writeFileSync(reportPath, markdownContent);
+            console.log(`Markdown report successfully written to ${reportPath}`);
         } catch (error) {
-             console.error(`Error writing Markdown report file ${options.report}:`, error);
+             console.error(`Error writing Markdown report file ${reportPath}:`, error);
         }
     }
 
     // Print to console ONLY if neither JSON nor Markdown output was specified
-    if (!options.output && !options.report) {
+    if (!options.output && !reportPath) {
 
         // Print Configuration Warnings FIRST (after scans, before results)
         if (gitignoreWarnings.length > 0) {
@@ -164,11 +245,14 @@ program.command('scan')
             });
         }
 
-        // Check if any standard findings exist
+        // Check if any standard findings exist (including config)
         const hasStandardSecrets = reportSecretFindings.length > 0;
         const hasDependencyIssues = reportDependencyFindings.length > 0;
+        const hasConfigIssues = reportConfigFindings.length > 0;
+        const hasUploadIssues = reportUploadFindings.length > 0;
+        const hasEndpointIssues = reportEndpointFindings.length > 0;
 
-        if (hasStandardSecrets || hasDependencyIssues) {
+        if (hasStandardSecrets || hasDependencyIssues || hasConfigIssues || hasUploadIssues || hasEndpointIssues) {
             // Print standard secrets to console if found
             if (hasStandardSecrets) {
                 console.log(chalk.bold('\nPotential Secrets Found:'));
@@ -192,6 +276,43 @@ program.command('scan')
                     }
                 });
             }
+
+            // Print config findings to console if found
+            if (hasConfigIssues) {
+                console.log(chalk.bold('\nConfiguration Issues Found:'));
+                reportConfigFindings.sort((a,b) => severityToSortOrder(b.severity) - severityToSortOrder(a.severity));
+                reportConfigFindings.forEach(finding => {
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type}: ${chalk.cyan(finding.file)} - Key: ${chalk.magenta(finding.key)}, Value: ${chalk.yellow(JSON.stringify(finding.value))}`);
+                    console.log(chalk.dim(`    > ${finding.message}`));
+                });
+            }
+
+            // Print upload findings to console if found
+            if (hasUploadIssues) {
+                console.log(chalk.bold('\nPotential Upload Issues Found:'));
+                reportUploadFindings.sort((a,b) => severityToSortOrder(b.severity) - severityToSortOrder(a.severity));
+                reportUploadFindings.forEach(finding => {
+                    // Customize console output for upload findings
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} in ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
+                    console.log(chalk.dim(`    > ${finding.message}`));
+                    if (finding.details) {
+                         console.log(chalk.dim(`      ${finding.details}`));
+                    }
+                });
+            }
+
+            // Print endpoint findings to console if found
+            if (hasEndpointIssues) {
+                console.log(chalk.bold('\nPotentially Exposed Endpoints Found:'));
+                reportEndpointFindings.sort((a,b) => severityToSortOrder(b.severity) - severityToSortOrder(a.severity));
+                reportEndpointFindings.forEach(finding => {
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} in ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
+                    console.log(chalk.dim(`    > Path: ${chalk.magenta(finding.path)} - ${finding.message}`));
+                    if (finding.details) {
+                         console.log(chalk.dim(`      Context: ${finding.details}`));
+                    }
+                });
+            }
         } else {
             // All Clear! Print positive message.
             // Check if we actually scanned for dependencies before saying no vulns found
@@ -210,8 +331,11 @@ program.command('scan')
     // Info findings should NOT affect exit code
     const highSeveritySecrets = reportSecretFindings.some(f => f.severity === 'High');
     const highSeverityDeps = reportDependencyFindings.some(d => d.maxSeverity === 'High' || d.maxSeverity === 'Critical');
+    const highSeverityConfig = reportConfigFindings.some(f => f.severity === 'High' || f.severity === 'Critical');
+    const highSeverityUploads = reportUploadFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
+    const highSeverityEndpoints = reportEndpointFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
 
-    if (options.highOnly && (highSeveritySecrets || highSeverityDeps)) {
+    if (options.highOnly && (highSeveritySecrets || highSeverityDeps || highSeverityConfig || highSeverityUploads || highSeverityEndpoints)) {
         console.log('Exiting with code 1 due to High/Critical severity findings (--high-only specified).');
         process.exit(1);
     }