slowcoder360
diff --git a/‎6-steps.md
Lines changed: 88 additions & 0 deletions b/‎6-steps.md
Lines changed: 88 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 18 additions & 8 deletions b/‎README.md
Lines changed: 18 additions & 8 deletions
diff --git a/‎instructions.md
Lines changed: 6 additions & 1 deletion b/‎instructions.md
Lines changed: 6 additions & 1 deletion
diff --git a/‎package.json
Lines changed: 1 addition & 0 deletions b/‎package.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/index.ts
Lines changed: 127 additions & 6 deletions b/‎src/index.ts
Lines changed: 127 additions & 6 deletions
@@ -0,0 +1,88 @@
+Phase 6: Additional Common Checks
+6.3 Exposed Debug/Admin Endpoints
+ Extend file traversal to include:
+
+Express router files (src/routes/**)
+
+Next.js API routes (pages/api/, app/api/)
+
+ Scan each .js/.ts file for sensitive-path definitions using regex or AST, e.g.
+app.(get|post|put|delete)('/(admin|debug|status|info)'
+router.(get|post)('/(admin|debug|status|info)'
+
+ Record each match as a JSON object:
+{ "file": "src/routes/admin.js", "line": 42, "path": "/admin" }
+
+ In each matched file, scan imports for auth libraries:
+
+passport
+
+express-session
+
+jsonwebtoken
+
+next-auth
+
+@clerk/clerk-sdk-node
+
+ In the handler code, look for auth-usage patterns:
+
+if (!req.user)
+
+await getSession()
+
+jwt.verify()
+
+ Flag endpoint if a sensitive route is found and no auth import or auth-usage pattern is detected
+
+6.4 Lack of Rate‑Limiting in HTTP Clients
+ Detect HTTP libraries in package.json:
+
+axios
+
+node-fetch
+
+cross-fetch
+
+got
+
+superagent
+
+ AST scan each .js/.ts file for call expressions:
+
+axios.<method>(url, config?)
+
+fetch(url, options?)
+
+ For each call, inspect arguments:
+
+axios: if only one argument or config missing timeout/signal, mark missing timeout
+
+fetch: if no AbortController usage (new AbortController() or signal:), mark missing timeout
+
+ Emit JSON per finding: { "file": "src/api.js", "line": 27, "library": "axios", "call": "axios.get", "missing": ["timeout"] }
+
+ Add CLI flag (e.g. --check-timeouts) to include these findings in the report
+
+6.5 Insufficient Logging & Error Sanitization
+ AST scan for all CallExpression where callee is:
+
+console.log
+
+console.error
+
+console.warn
+
+console.debug
+
+logger methods from known libs (e.g. winston, pino)
+
+ For each log call:
+
+If single argument is an Identifier named err/error or a MemberExpression ending in .stack, flag as unsanitized-error
+
+If any argument source text matches /password|email|token|ssn|secret/, flag as pii-logging
+
+ Emit JSON per finding: { "file": "src/app.js", "line": 123, "type": "pii-logging", "snippet": "console.error(User email: ${user.email})" }
+
+ Group and summarize findings by file in the final report
@@ -4,14 +4,17 @@ A CLI tool to scan your codebase for security vibes.
 
 VibeSafe helps developers quickly check their projects for common security issues like exposed secrets, outdated dependencies with known vulnerabilities (CVEs), and generates helpful reports.
 
-## Features (MVP)
-
-*   **Secret Scanning:** Detects potential secrets (API keys, credentials) using regex patterns and entropy analysis.
-*   **Dependency Scanning:** Parses package manifests (currently `package.json`) and checks dependencies against the OSV.dev vulnerability database.
-*   **Configuration Scanning:** Checks configuration files (JSON, YAML) for common insecure settings (e.g., `DEBUG=true`, permissive CORS).
-*   **Unvalidated Upload Detection:** Identifies potential missing file size/type restrictions in common upload libraries (e.g., `multer`, `formidable`) and generic patterns (`FormData`, `<input type="file">`).
-*   **Exposed Endpoint Detection:** Flags potentially sensitive endpoints (e.g., `/admin`, `/debug`, `/status`) based on common patterns.
-*   **Multiple Output Formats:** Provides results via console output (with colors!), JSON (`--output`), or a Markdown report (`--report`).
+## Features
+
+*   **Secret Scanning:** Detects potential secrets using regex patterns (AWS Keys, JWTs, SSH Keys, generic high-entropy strings) and specifically flags secrets found in `.env` files.
+*   **Dependency Scanning:** Parses `package.json` (for npm/yarn projects) and checks dependencies against the OSV.dev vulnerability database for known CVEs.
+*   **Configuration Scanning:** Checks JSON and YAML files for common insecure settings (e.g., `DEBUG = true`, `devMode = true`, permissive CORS like `origin: '*'`).
+*   **HTTP Client Issues:** Detects potential missing timeout or cancellation configurations in calls using `axios`, `fetch`, `got`, and `request`. (*See Limitations below*).
+*   **Unvalidated Upload Detection:** Identifies potential missing file size/type restrictions in common upload libraries (`multer`, `formidable`, `express-fileupload`, `busboy`) and generic patterns (`new FormData()`, `<input type="file">`).
+*   **Exposed Endpoint Detection:** Flags potentially sensitive endpoints (e.g., `/admin`, `/debug`, `/status`, `/info`, `/metrics`) in Express/Node.js applications using common routing patterns or string literals.
+*   **Rate Limit Check (Heuristic):** Suggests reviewing rate limiting if Express/Node.js routes are detected in a file without an `express-rate-limit` import.
+*   **Improper Error Logging Detection:** Flags potential logging of full error objects (e.g., `console.error(err)`, `logger.error(e)`), which can leak stack traces.
+*   **Multiple Output Formats:** Provides results via console output (with colors!), JSON (`--output`), or a Markdown report (`--report` with default `VIBESAFE-REPORT.md`).
 *   **AI-Powered Suggestions (Optional):** Generates fix suggestions in the Markdown report using OpenAI (requires API key).
 *   **Filtering:** Focus on high-impact issues using `--high-only`.
 *   **Customizable Ignores:** Use a `.vibesafeignore` file (similar syntax to `.gitignore`) to exclude specific files or directories from the scan.
@@ -79,6 +82,13 @@ To generate fix suggestions in the Markdown report, you need an OpenAI API key.
 vibesafe scan --high-only
 ```
 
+## Limitations
+
+*   **Superagent Timeouts:** The check for missing timeouts in the `superagent` HTTP client library is currently disabled due to complexities in accurately detecting chained method calls (like `.timeout()`) using AST. Calls using `superagent` will not be flagged for missing timeouts at this time. This is planned for a future enhancement.
+*   **Dynamic Configuration:** Checks rely on static analysis (AST parsing, regex). Timeouts or security settings configured dynamically (e.g., read from environment variables at runtime and passed into client options) may not be detected.
+*   **Rate Limiting:** The check is a heuristic based on the presence of route definitions and the *absence* of a specific import (`express-rate-limit`). It does not guarantee that rate limiting is actually missing or insufficient if implemented differently.
+*   **Authentication Checks:** Exposed endpoint detection does not currently verify if proper authentication or authorization middleware is applied to flagged routes.
+
 ## Ignoring Files (.vibesafeignore)
 
 Create a `.vibesafeignore` file in the root of the directory being scanned. Add file paths or glob patterns (one per line) to exclude them from the scan. The syntax is the same as `.gitignore`.
 
@@ -100,8 +100,13 @@
    - [x] Search for routes named `/debug`, `/admin`, `/status`, `/info`, etc. using framework patterns or string literals
    - [ ] Flag those without authentication or middleware checks // (Future enhancement - complex)
 4. **Lack of Rate‑Limiting**  
-   - [ ] Identify HTTP handlers or clients missing rate‑limiter middleware (e.g., express-rate-limit)  
+   - [x] Identify files with route definitions but missing `express-rate-limit` import (heuristic)
    - [ ] Flag missing throttle/retry settings in HTTP client code
+   - [x] Detect missing timeout/cancellation in HTTP client calls (axios, fetch, got, request) // (Superagent check disabled due to AST complexity)
+   - [ ] *TODO: Implement reliable `superagent` timeout detection via AST*
+5. **Insufficient Logging & Error Sanitization**  
+   - [x] Find logging of full error objects or stack traces (e.g., `console.error(err)`)
+   - [ ] Detect logging of PII or sensitive data in plain text // (Future enhancement - complex)
 
 ## 6. Risks & Mitigations
 
 
@@ -21,6 +21,7 @@
   "license": "SEE LICENSE IN LICENSE",
   "devDependencies": {
     "@types/node": "^22.14.1",
+    "@typescript-eslint/typescript-estree": "^8.30.1",
     "ts-node": "^10.9.2",
     "typescript": "^5.8.3"
   },
 
@@ -14,6 +14,9 @@ import chalk from 'chalk';
 import { scanConfigFile, ConfigFinding } from './scanners/configuration';
 import { scanForUnvalidatedUploads, UploadFinding } from './scanners/uploads';
 import { scanForExposedEndpoints, EndpointFinding } from './scanners/endpoints';
+import { scanForMissingRateLimit, RateLimitFinding } from './scanners/rateLimiting';
+import { scanForImproperErrorLogging, ErrorLoggingFinding } from './scanners/logging';
+import { scanForHttpClientIssues, HttpClientFinding } from './scanners/httpClient';
 
 // Define a combined finding type if needed later
 
@@ -76,6 +79,9 @@ program.command('scan')
     let allConfigFindings: ConfigFinding[] = [];
     let allUploadFindings: UploadFinding[] = [];
     let allEndpointFindings: EndpointFinding[] = [];
+    let allRateLimitFindings: RateLimitFinding[] = [];
+    let allErrorLoggingFindings: ErrorLoggingFinding[] = [];
+    let allHttpClientFindings: HttpClientFinding[] = [];
 
     // --- File Traversal (Phase 2.2) ---
     const filesToScan = getFilesToScan(directory);
@@ -153,6 +159,51 @@ program.command('scan')
         }
     });
 
+    // --- Rate Limit Scan (Phase 6.4) ---
+    // Use the same JS/TS files as endpoint scan for checking rate limiting context
+    console.log(`Scanning ${filesForEndpointScan.length} files for potential missing rate limiting...`);
+    filesForEndpointScan.forEach(filePath => {
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const findings = scanForMissingRateLimit(filePath, content);
+            const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
+            allRateLimitFindings = allRateLimitFindings.concat(relativeFindings);
+        } catch (error: any) {
+            // Avoid crashing if a single file fails
+            console.warn(chalk.yellow(`Could not scan ${path.relative(rootDir, filePath)} for rate limiting: ${error.message}`));
+        }
+    });
+
+    // --- Error Logging Scan (Phase 6.5) ---
+    // Use the same JS/TS files as endpoint/rate-limit scan
+    console.log(`Scanning ${filesForEndpointScan.length} files for potential improper error logging...`);
+    filesForEndpointScan.forEach(filePath => {
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const findings = scanForImproperErrorLogging(filePath, content);
+            const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
+            allErrorLoggingFindings = allErrorLoggingFindings.concat(relativeFindings);
+        } catch (error: any) {
+            // Avoid crashing if a single file fails
+            console.warn(chalk.yellow(`Could not scan ${path.relative(rootDir, filePath)} for logging issues: ${error.message}`));
+        }
+    });
+
+    // --- HTTP Client Scan (Phase 6.4.2) ---
+    // Use the same JS/TS files as endpoint scan
+    console.log(`Scanning ${filesForEndpointScan.length} files for potential HTTP client issues...`);
+    filesForEndpointScan.forEach(filePath => {
+        try {
+            const content = fs.readFileSync(filePath, 'utf-8');
+            const findings = scanForHttpClientIssues(filePath, content);
+            const relativeFindings = findings.map(f => ({ ...f, file: path.relative(rootDir, f.file) }));
+            allHttpClientFindings = allHttpClientFindings.concat(relativeFindings);
+        } catch (error: any) {
+            // Avoid crashing if a single file fails
+            console.warn(chalk.yellow(`Could not scan ${path.relative(rootDir, filePath)} for HTTP client issues: ${error.message}`));
+        }
+    });
+
     // Separate Info findings
     const infoSecretFindings = allSecretFindings.filter(f => f.severity === 'Info');
     const standardSecretFindings = allSecretFindings.filter(f => f.severity !== 'Info');
@@ -181,6 +232,21 @@ program.command('scan')
         ? allEndpointFindings.filter(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium') 
         : allEndpointFindings;
 
+    // Filter rate limit findings (These are 'Low' severity, so they likely won't show with --high-only)
+    const reportRateLimitFindings = options.highOnly
+        ? allRateLimitFindings.filter(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium') // Will likely be empty
+        : allRateLimitFindings;
+
+    // Filter error logging findings (Low severity)
+    const reportErrorLoggingFindings = options.highOnly
+        ? allErrorLoggingFindings.filter(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium')
+        : allErrorLoggingFindings;
+
+    // Filter HTTP client findings (Low severity)
+    const reportHttpClientFindings = options.highOnly
+        ? allHttpClientFindings.filter(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium')
+        : allHttpClientFindings;
+
     // --- NOW Check Gitignore Status --- 
     gitignoreWarnings = checkGitignoreStatus(rootDir);
 
@@ -190,7 +256,10 @@ program.command('scan')
         dependencyFindings: reportDependencyFindings, 
         configFindings: reportConfigFindings,
         uploadFindings: reportUploadFindings,
-        endpointFindings: reportEndpointFindings
+        endpointFindings: reportEndpointFindings,
+        rateLimitFindings: reportRateLimitFindings,
+        errorLoggingFindings: reportErrorLoggingFindings,
+        httpClientFindings: reportHttpClientFindings
     };
 
     // Generate JSON if requested
@@ -201,7 +270,10 @@ program.command('scan')
                 dependencies: reportDependencyFindings,
                 configuration: reportConfigFindings,
                 uploads: reportUploadFindings,
-                endpoints: reportEndpointFindings
+                endpoints: reportEndpointFindings,
+                rateLimiting: reportRateLimitFindings,
+                errorLogging: reportErrorLoggingFindings,
+                httpClients: reportHttpClientFindings
             }
             fs.writeFileSync(options.output, JSON.stringify(outputJsonData, null, 2));
             console.log(`JSON results successfully written to ${options.output}`);
@@ -251,8 +323,11 @@ program.command('scan')
         const hasConfigIssues = reportConfigFindings.length > 0;
         const hasUploadIssues = reportUploadFindings.length > 0;
         const hasEndpointIssues = reportEndpointFindings.length > 0;
+        const hasRateLimitIssues = reportRateLimitFindings.length > 0;
+        const hasErrorLoggingIssues = reportErrorLoggingFindings.length > 0;
+        const hasHttpClientIssues = reportHttpClientFindings.length > 0;
 
-        if (hasStandardSecrets || hasDependencyIssues || hasConfigIssues || hasUploadIssues || hasEndpointIssues) {
+        if (hasStandardSecrets || hasDependencyIssues || hasConfigIssues || hasUploadIssues || hasEndpointIssues || hasRateLimitIssues || hasErrorLoggingIssues || hasHttpClientIssues) {
             // Print standard secrets to console if found
             if (hasStandardSecrets) {
                 console.log(chalk.bold('\nPotential Secrets Found:'));
@@ -313,6 +388,46 @@ program.command('scan')
                     }
                 });
             }
+
+            // Print rate limit findings to console if found
+            if (hasRateLimitIssues) {
+                console.log(chalk.bold('\nPotential Rate Limiting Issues Found:'));
+                // Since findings are per-file, group them or just list them
+                reportRateLimitFindings.sort((a,b) => severityToSortOrder(b.severity) - severityToSortOrder(a.severity)); // Although all are Low for now
+                reportRateLimitFindings.forEach(finding => {
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} in ${chalk.cyan(finding.file)} (around line ${chalk.yellow(String(finding.line))})`);
+                    console.log(chalk.dim(`    > ${finding.message}`));
+                    if (finding.details) {
+                         console.log(chalk.dim(`      ${finding.details}`));
+                    }
+                });
+            }
+
+            // Print error logging findings to console if found
+            if (hasErrorLoggingIssues) {
+                console.log(chalk.bold('\nPotential Unsanitized Error Logging Found:'));
+                reportErrorLoggingFindings.sort((a,b) => severityToSortOrder(b.severity) - severityToSortOrder(a.severity)); // Although all are Low
+                reportErrorLoggingFindings.forEach(finding => {
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} in ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
+                    console.log(chalk.dim(`    > ${finding.message}`));
+                    if (finding.details) {
+                         console.log(chalk.dim(`      ${finding.details}`));
+                    }
+                });
+            }
+
+            // Print http client findings to console if found
+            if (hasHttpClientIssues) {
+                console.log(chalk.bold('\nPotential HTTP Client Issues Found:'));
+                reportHttpClientFindings.sort((a,b) => severityToSortOrder(b.severity) - severityToSortOrder(a.severity)); // Although all are Low
+                reportHttpClientFindings.forEach(finding => {
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} (${finding.library}) in ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
+                    console.log(chalk.dim(`    > ${finding.message}`));
+                    if (finding.details) {
+                         console.log(chalk.dim(`      ${finding.details}`));
+                    }
+                });
+            }
         } else {
             // All Clear! Print positive message.
             // Check if we actually scanned for dependencies before saying no vulns found
@@ -334,8 +449,14 @@ program.command('scan')
     const highSeverityConfig = reportConfigFindings.some(f => f.severity === 'High' || f.severity === 'Critical');
     const highSeverityUploads = reportUploadFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
     const highSeverityEndpoints = reportEndpointFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
-
-    if (options.highOnly && (highSeveritySecrets || highSeverityDeps || highSeverityConfig || highSeverityUploads || highSeverityEndpoints)) {
+    // Rate limit findings are currently Low, so they won't trigger exit code 1 with --high-only
+    // const highSeverityRateLimit = reportRateLimitFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
+    // Error logging findings are Low, so they won't trigger exit code 1 with --high-only
+    // const highSeverityErrorLogging = reportErrorLoggingFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
+    // HTTP Client findings are Low, so they won't trigger exit code 1 with --high-only
+    // const highSeverityHttpClient = reportHttpClientFindings.some(f => f.severity === 'High' || f.severity === 'Critical' || f.severity === 'Medium');
+
+    if (options.highOnly && (highSeveritySecrets || highSeverityDeps || highSeverityConfig || highSeverityUploads || highSeverityEndpoints /*|| highSeverityRateLimit || highSeverityErrorLogging || highSeverityHttpClient*/)) {
         console.log('Exiting with code 1 due to High/Critical severity findings (--high-only specified).');
         process.exit(1);
     }
@@ -354,4 +475,4 @@ function severityToSortOrder(severity: FindingSeverity | SecretFinding['severity
     }
 }
 
-program.parse(process.argv); 
+program.parse(process.argv);