fix architecture and write new tests
This commit is contained in:
@@ -0,0 +1,74 @@
|
||||
import fs from 'node:fs'
|
||||
import path from 'node:path'
|
||||
|
||||
const root = process.cwd()
|
||||
const ignoredDirs = new Set(['.git', 'node_modules', 'dist', '.next', 'coverage', '.turbo'])
|
||||
const files = []
|
||||
|
||||
function walk(dir) {
|
||||
for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
|
||||
if (ignoredDirs.has(entry.name)) continue
|
||||
const p = path.join(dir, entry.name)
|
||||
if (entry.isDirectory()) walk(p)
|
||||
else files.push(p)
|
||||
}
|
||||
}
|
||||
|
||||
walk(root)
|
||||
|
||||
const findings = []
|
||||
const authTokenStorage = /localStorage\.(?:setItem|getItem|removeItem)\(\s*(?:['"](?:employee_token|admin_token|renter_token|employee_session|admin_session|renter_session)['"]|[A-Z0-9_]*TOKEN[A-Z0-9_]*)|document\.cookie\s*=\s*['"](?:employee_token|admin_token|renter_token|employee_session|admin_session|renter_session)=/i
|
||||
const rawWebhookStringify = /JSON\.stringify\(req\.body\)/i
|
||||
const secretAssignment = /^(JWT_SECRET|DATABASE_URL|POSTGRES_PASSWORD|SMTP_PASSWORD|REGISTRY_PASSWORD|REGISTRY_HTTP_SECRET|AMANPAY_WEBHOOK_SECRET|PAYPAL_WEBHOOK_SECRET|CLERK_SECRET_KEY|RESEND_API_KEY|MAIL_PASSWORD|FIREBASE_PRIVATE_KEY|TWILIO_AUTH_TOKEN|PAYPAL_CLIENT_SECRET|AMANPAY_SECRET_KEY|CLOUDINARY_API_SECRET|ADMIN_SEED_PASSWORD)\s*=\s*(.+)$/i
|
||||
|
||||
function isTestPath(rel) {
|
||||
return rel.includes('/test/') || rel.includes('/tests/') || /\.(test|spec)\.[tj]sx?$/.test(rel)
|
||||
}
|
||||
|
||||
function isEnvLike(rel) {
|
||||
const base = path.basename(rel)
|
||||
return base === '.env' || base.startsWith('.env') || base.endsWith('.env')
|
||||
}
|
||||
|
||||
function looksPlaceholder(value) {
|
||||
const v = value.trim().replace(/^['"]|['"]$/g, '')
|
||||
if (!v || /^\$\{?[A-Z0-9_]+\}?$/i.test(v)) return true
|
||||
if (/replace-with|placeholder|example|your-|your_|dummy|changeme|change-me|test-secret|localhost|127\.0\.0\.1/i.test(v)) return true
|
||||
if (/^postgresql:\/\/[^:]+:replace-with-/i.test(v)) return true
|
||||
return false
|
||||
}
|
||||
|
||||
for (const file of files) {
|
||||
const rel = path.relative(root, file)
|
||||
if (rel.startsWith('.claude/') || rel === '.gitlab-ci.yml' || isTestPath(rel)) continue
|
||||
if (!/\.(ts|tsx|js|jsx|json|env|example|yml|yaml|toml|md|prisma|sql)$/.test(rel) && !path.basename(rel).startsWith('.env')) continue
|
||||
|
||||
let text
|
||||
try { text = fs.readFileSync(file, 'utf8') } catch { continue }
|
||||
if (text.includes('\u0000')) continue
|
||||
const lines = text.split(/\r?\n/)
|
||||
|
||||
for (let i = 0; i < lines.length; i += 1) {
|
||||
const line = lines[i]
|
||||
if (authTokenStorage.test(line)) {
|
||||
findings.push(`${rel}:${i + 1}: script-readable auth token storage`)
|
||||
}
|
||||
if (rel.includes('/webhooks/') || rel.includes('payment.routes') || rel.includes('subscription.routes')) {
|
||||
if (rawWebhookStringify.test(line)) findings.push(`${rel}:${i + 1}: webhook signature code must use raw body`)
|
||||
}
|
||||
if (isEnvLike(rel)) {
|
||||
const match = line.match(secretAssignment)
|
||||
if (match && !looksPlaceholder(match[2])) {
|
||||
findings.push(`${rel}:${i + 1}: possible committed secret`)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (findings.length) {
|
||||
console.error('Security static check failed:')
|
||||
for (const finding of findings) console.error(`- ${finding}`)
|
||||
process.exit(1)
|
||||
}
|
||||
|
||||
console.log('Security static check passed')
|
||||
Reference in New Issue
Block a user