fixed some dynamic and static bugs and failing test cases

2026-06-12 19:55:14 +02:00 · 2026-06-03 15:56:00 -05:00 · 2026-06-03 15:56:00 -05:00 · ddf9ff13e2
commit ddf9ff13e2
parent 20093972a9
10 changed files with 215 additions and 35 deletions
--- a/src/patterns/javascript.rs
+++ b/src/patterns/javascript.rs
@ -162,6 +162,24 @@ pub const PATTERNS: &[Pattern] = &[
        category: PatternCategory::Secrets,
        confidence: Confidence::Medium,
    },
+    // ── Tier A: Hardcoded cryptographic key/secret config ──────────────
+    // Crypto-key-shaped keys (`cookieSecret`, `cryptoKey`, `signingKey`, …) the
+    // anchored `hardcoded_secret` regex misses. Emits a `crypto`-bucketing id
+    // (a `*.secrets.*` id buckets as `other`). Benign `publicKey`/`primaryKey`/
+    // `keyName`/bare `key` are rejected by the prefix requirement.
+    Pattern {
+        id: "js.crypto.hardcoded_key",
+        description: "Hardcoded cryptographic key/secret in source config",
+        query: r#"(pair
+                     key: (property_identifier) @key
+                       (#match? @key "(?i)^([a-z0-9]+secret|(crypto|cookie|session|signing|encryption|encrypt|private|master|jwt|hmac|secret)key|api[_-]?key|access[_-]?key|secret[_-]?key|private[_-]?key|encryption[_-]?key|signing[_-]?key)$")
+                     value: (string) @val (#match? @val "[^\"']{3,}"))
+                   @vuln"#,
+        severity: Severity::Low,
+        tier: PatternTier::A,
+        category: PatternCategory::Crypto,
+        confidence: Confidence::Medium,
+    },
    // ── Tier A: Open redirect ──────────────────────────────────────────
    Pattern {
        id: "js.xss.location_assign",
--- a/src/patterns/typescript.rs
+++ b/src/patterns/typescript.rs
@ -133,6 +133,22 @@ pub const PATTERNS: &[Pattern] = &[
        category: PatternCategory::Secrets,
        confidence: Confidence::Medium,
    },
+    // ── Tier A: Hardcoded cryptographic key/secret config ──────────────
+    // Crypto-key-shaped keys the anchored `hardcoded_secret` regex misses;
+    // emits a `crypto`-bucketing rule id.  See javascript.rs for rationale.
+    Pattern {
+        id: "ts.crypto.hardcoded_key",
+        description: "Hardcoded cryptographic key/secret in source config",
+        query: r#"(pair
+                     key: (property_identifier) @key
+                       (#match? @key "(?i)^([a-z0-9]+secret|(crypto|cookie|session|signing|encryption|encrypt|private|master|jwt|hmac|secret)key|api[_-]?key|access[_-]?key|secret[_-]?key|private[_-]?key|encryption[_-]?key|signing[_-]?key)$")
+                     value: (string) @val (#match? @val "[^\"']{3,}"))
+                   @vuln"#,
+        severity: Severity::Low,
+        tier: PatternTier::A,
+        category: PatternCategory::Crypto,
+        confidence: Confidence::Medium,
+    },
    // ── Tier A: TypeScript-specific type-safety escapes ────────────────
    Pattern {
        id: "ts.quality.any_annotation",