Update dependencies and enhance pattern handling

- Added `tracing-appender` and `log` dependencies to improve error logging. - Enhanced `walk.rs` to add error handling with warning logs for ignore patterns. - Expanded Rust and JavaScript patterns with additional security vulnerability checks. - Simplified and updated pattern queries for improved accuracy and consistency. - Removed unused print statement in `index.rs`.
2026-06-09 19:45:13 +02:00 · 2025-06-17 02:22:14 +02:00 · 2025-06-17 02:22:14 +02:00 · 7bfce3ad7f
commit 7bfce3ad7f
parent 22369cc404
6 changed files with 203 additions and 32 deletions
--- a/src/patterns/javascript.rs
+++ b/src/patterns/javascript.rs
@ -37,4 +37,86 @@ pub const PATTERNS: &[Pattern] = &[
    query: "(call_expression function: (member_expression object: (identifier) @obj (#eq? @obj \"JSON\") property: (property_identifier) @prop (#eq? @prop \"parse\"))) @vuln",
    severity: Severity::Low,
  },
+  Pattern {
+    id: "outer_html_assignment",
+    description: "Assignment to element.outerHTML",
+    query: "(assignment_expression
+               left: (member_expression
+                        property: (property_identifier) @prop
+                        (#eq? @prop \"outerHTML\"))) @vuln",
+    severity: Severity::Medium,
+  },
+  Pattern {
+    id: "insert_adjacent_html",
+    description: "insertAdjacentHTML() call",
+    query: "(call_expression
+               function: (member_expression
+                           property: (property_identifier) @prop
+                           (#eq? @prop \"insertAdjacentHTML\"))) @vuln",
+    severity: Severity::Medium,
+  },
+  Pattern {
+    id: "location_href_assignment",
+    description: "Assignment to window.location / location.href",
+    query: "(assignment_expression
+               left: (member_expression
+                        object: (identifier)? @obj
+                        property: (property_identifier) @prop
+                        (#match? @prop \"location|href\"))) @vuln",
+    severity: Severity::High,
+  },
+  Pattern {
+    id: "cookie_assignment",
+    description: "Write to document.cookie",
+    query: "(assignment_expression
+               left: (member_expression
+                        object: (identifier) @obj
+                        (#eq? @obj \"document\")
+                        property: (property_identifier) @prop
+                        (#eq? @prop \"cookie\"))) @vuln",
+    severity: Severity::Medium,
+  },
+  Pattern {
+    id: "proto_pollution",
+    description: "Assignment to __proto__ (prototype pollution)",
+    query: "(assignment_expression
+               left: (member_expression
+                        property: (property_identifier) @prop
+                        (#eq? @prop \"__proto__\"))) @vuln",
+    severity: Severity::High,
+  },
+  Pattern {
+    id: "weak_hash_md5",
+    description: "crypto.createHash(\"md5\")",
+    query: "(call_expression
+               function: (member_expression
+                           object: (identifier) @obj
+                           (#eq? @obj \"crypto\")
+                           property: (property_identifier) @prop
+                           (#eq? @prop \"createHash\"))
+               arguments: (arguments
+                            (string) @alg
+                            (#eq? @alg \"md5\"))) @vuln",
+    severity: Severity::Low,
+  },
+  Pattern {
+    id: "regexp_constructor_string",
+    description: "new RegExp() with a dynamic string",
+    query: "(new_expression
+               constructor: (identifier) @id
+               (#eq? @id \"RegExp\")
+               arguments: (arguments (string) @pattern)) @vuln",
+    severity: Severity::Low,
+  },
+  Pattern {
+    id: "dangerous_extend_builtin",
+    description: "Extending Object.prototype (may lead to collisions/pollution)",
+    query: "(assignment_expression
+               left: (member_expression
+                        object: (identifier) @obj
+                        (#eq? @obj \"Object\")
+                        property: (property_identifier) @prop
+                        (#eq? @prop \"prototype\"))) @vuln",
+    severity: Severity::Medium,
+  },
 ];
--- a/src/patterns/rust.rs
+++ b/src/patterns/rust.rs
@ -1,9 +1,5 @@
 use crate::patterns::{Pattern, Severity};

-/// The full catalogue.
-///
-/// *Feel free to prune, extend, or tweak severities to suit your own threat
-/// model.*
 pub const PATTERNS: &[Pattern] = &[
  Pattern {
    id: "unsafe_block",
@ -14,19 +10,57 @@ pub const PATTERNS: &[Pattern] = &[
  Pattern {
    id: "unsafe_fn",
    description: "`unsafe fn` declaration",
-    query: "(function_item (modifier) @kw (#eq? @kw \"unsafe\")) @vuln",
+    query: "(function_item
+               (function_modifiers) @mods
+               (#match? @mods \"^unsafe\\b\")) @vuln",
+    severity: Severity::High,
+  },
+  Pattern {
+    id: "transmute_call",
+    description: "`std::mem::transmute` call",
+    query: "(call_expression
+                  function: (scoped_identifier
+                              path: (identifier) @p (#eq? @p \"mem\")
+                              name: (identifier) @f (#eq? @f \"transmute\")))
+                @vuln",
+    severity: Severity::High,
+  },
+  Pattern {
+    id: "copy_nonoverlapping",
+    description: "Raw pointer `copy_nonoverlapping`",
+    query: "(call_expression
+                  function: (scoped_identifier
+                              path: (identifier) @p (#eq? @p \"ptr\")
+                              name: (identifier) @f (#eq? @f \"copy_nonoverlapping\")))
+                @vuln",
+    severity: Severity::High,
+  },
+  Pattern {
+    id: "get_unchecked",
+    description: "`get_unchecked` / `get_unchecked_mut` slice access",
+    query: "(call_expression
+                  function: (field_expression
+                              field: (field_identifier) @m
+                              (#match? @m \"get_unchecked(_mut)?\"))) @vuln",
    severity: Severity::High,
  },
  Pattern {
    id: "unwrap_call",
    description: "`.unwrap()` call (may panic)",
-    query: "(call_expression function: (field_expression field: (field_identifier) @name (#eq? @name \"unwrap\"))) @vuln",
+    query: "(call_expression
+              function: (field_expression
+                          field: (field_identifier) @name
+                          (#eq? @name \"unwrap\")))   ; exact match
+            @vuln",
    severity: Severity::Medium,
  },
  Pattern {
    id: "expect_call",
    description: "`.expect()` call (may panic)",
-    query: "(call_expression function: (field_expression field: (field_identifier) @name (#eq? @name \"expect\"))) @vuln",
+    query: "(call_expression
+                  function: (field_expression
+                              field: (field_identifier) @name
+                              (#eq? @name \"expect\"))) @vuln",
    severity: Severity::Medium,
  },
  Pattern {
@ -38,31 +72,47 @@ pub const PATTERNS: &[Pattern] = &[
  Pattern {
    id: "todo_or_unimplemented",
    description: "`todo!()` / `unimplemented!()` placeholder",
-    query: "(macro_invocation (identifier) @id (#match? @id \"todo|unimplemented\")) @vuln",
+    query: "(macro_invocation
+                  (identifier) @id
+                  (#match? @id \"todo|unimplemented\")) @vuln",
    severity: Severity::Low,
  },
-  Pattern {
-    id: "transmute_call",
-    description: "`std::mem::transmute` call",
-    query: "(call_expression function: (scoped_identifier path: (identifier) @p (#eq? @p \"mem\") name: (identifier) @f (#eq? @f \"transmute\"))) @vuln",
-    severity: Severity::High,
-  },
-  Pattern {
-    id: "get_unchecked",
-    description: "`get_unchecked` or `get_unchecked_mut` slice access",
-    query: "(call_expression function: (field_expression field: (field_identifier) @m (#match? @m \"get_unchecked(_mut)?\"))) @vuln",
-    severity: Severity::High,
-  },
-  Pattern {
-    id: "copy_nonoverlapping",
-    description: "Raw pointer `copy_nonoverlapping`",
-    query: "(call_expression function: (scoped_identifier path: (identifier) @p (#eq? @p \"ptr\") name: (identifier) @f (#eq? @f \"copy_nonoverlapping\"))) @vuln",
-    severity: Severity::High,
-  },
  Pattern {
    id: "narrow_cast_with_as",
    description: "`as` cast to an 8-/16-bit integer (possible truncation)",
-    query: "(as_expression left: (_) right: (primitive_type) @to (#match? @to \"u8|i8|u16|i16\")) @vuln",
+    query: "(type_cast_expression
+                  type: (primitive_type) @to
+                  (#match? @to \"^u?i(8|16)$\")) @vuln",
    severity: Severity::Low,
  },
+  Pattern { 
+    id: "mem_zeroed",     
+    description: "`std::mem::zeroed()`",          
+    query: "(call_expression function:(scoped_identifier path:(identifier)@p (#eq? @p \"mem\") name:(identifier)@n (#eq? @n \"zeroed\")))@vuln", 
+    severity: Severity::High 
+  },
+  Pattern { 
+    id: "mem_forget",     
+    description: "`std::mem::forget()`",          
+    query: "(call_expression function:(scoped_identifier path:(identifier)@p (#eq? @p \"mem\") name:(identifier)@n (#eq? @n \"forget\")))@vuln", 
+    severity: Severity::Medium 
+  },
+  Pattern { 
+    id: "ptr_read",       
+    description: "`ptr::read_*` raw-ptr read",    
+    query: "(call_expression function:(scoped_identifier path:(identifier)@p (#eq? @p \"ptr\") name:(identifier)@n (#match? @n \"read(_volatile)?\")))@vuln", 
+    severity: Severity::High 
+  },
+  Pattern { 
+    id: "arc_unwrap",     
+    description: "`Arc::unwrap_or_else_unchecked`",
+    query: "(call_expression function:(scoped_identifier name:(identifier)@n (#eq? @n \"unwrap_or_else_unchecked\")))@vuln", 
+    severity: Severity::High 
+  },
+  Pattern { 
+    id: "dbg_macro",      
+    description: "`dbg!()` left in code",         
+    query: "(macro_invocation (identifier)@id (#eq? @id \"dbg\"))@vuln", 
+    severity: Severity::Low 
+  },
 ];