archetecture security fix

This commit is contained in:
root
2026-06-11 03:22:12 -04:00
parent 6def9993da
commit 9483750161
3126 changed files with 177194 additions and 37211 deletions
+74
View File
@@ -0,0 +1,74 @@
import fs from 'node:fs'
import path from 'node:path'
const root = process.cwd()
const ignoredDirs = new Set(['.git', 'node_modules', 'dist', '.next', 'coverage', '.turbo'])
const files = []
function walk(dir) {
for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
if (ignoredDirs.has(entry.name)) continue
const p = path.join(dir, entry.name)
if (entry.isDirectory()) walk(p)
else files.push(p)
}
}
walk(root)
const findings = []
const authTokenStorage = /localStorage\.(?:setItem|getItem|removeItem)\(\s*(?:['"](?:employee_token|admin_token|renter_token|employee_session|admin_session|renter_session)['"]|[A-Z0-9_]*TOKEN[A-Z0-9_]*)|document\.cookie\s*=\s*['"](?:employee_token|admin_token|renter_token|employee_session|admin_session|renter_session)=/i
const rawWebhookStringify = /JSON\.stringify\(req\.body\)/i
const secretAssignment = /^(JWT_SECRET|DATABASE_URL|POSTGRES_PASSWORD|SMTP_PASSWORD|REGISTRY_PASSWORD|REGISTRY_HTTP_SECRET|AMANPAY_WEBHOOK_SECRET|PAYPAL_WEBHOOK_SECRET|CLERK_SECRET_KEY|RESEND_API_KEY|MAIL_PASSWORD|FIREBASE_PRIVATE_KEY|TWILIO_AUTH_TOKEN|PAYPAL_CLIENT_SECRET|AMANPAY_SECRET_KEY|CLOUDINARY_API_SECRET|ADMIN_SEED_PASSWORD)\s*=\s*(.+)$/i
function isTestPath(rel) {
return rel.includes('/test/') || rel.includes('/tests/') || /\.(test|spec)\.[tj]sx?$/.test(rel)
}
function isEnvLike(rel) {
const base = path.basename(rel)
return base === '.env' || base.startsWith('.env') || base.endsWith('.env')
}
function looksPlaceholder(value) {
const v = value.trim().replace(/^['"]|['"]$/g, '')
if (!v || /^\$\{?[A-Z0-9_]+\}?$/i.test(v)) return true
if (/replace-with|placeholder|example|your-|changeme|change-me|test-secret|localhost|127\.0\.0\.1/i.test(v)) return true
if (/^postgresql:\/\/[^:]+:replace-with-/i.test(v)) return true
return false
}
for (const file of files) {
const rel = path.relative(root, file)
if (rel.startsWith('.claude/') || rel === '.gitlab-ci.yml' || isTestPath(rel)) continue
if (!/\.(ts|tsx|js|jsx|json|env|example|yml|yaml|toml|md|prisma|sql)$/.test(rel) && !path.basename(rel).startsWith('.env')) continue
let text
try { text = fs.readFileSync(file, 'utf8') } catch { continue }
if (text.includes('\u0000')) continue
const lines = text.split(/\r?\n/)
for (let i = 0; i < lines.length; i += 1) {
const line = lines[i]
if (authTokenStorage.test(line)) {
findings.push(`${rel}:${i + 1}: script-readable auth token storage`)
}
if (rel.includes('/webhooks/') || rel.includes('payment.routes') || rel.includes('subscription.routes')) {
if (rawWebhookStringify.test(line)) findings.push(`${rel}:${i + 1}: webhook signature code must use raw body`)
}
if (isEnvLike(rel)) {
const match = line.match(secretAssignment)
if (match && !looksPlaceholder(match[2])) {
findings.push(`${rel}:${i + 1}: possible committed secret`)
}
}
}
}
if (findings.length) {
console.error('Security static check failed:')
for (const finding of findings) console.error(`- ${finding}`)
process.exit(1)
}
console.log('Security static check passed')