# Phase 8.2: Framework-Specific Security Extractors > **Research Date:** 2026-02-05 > **Purpose:** Implementation guide for framework-specific security extractors based on modern best practices (2024-2025) ## Overview This document provides comprehensive patterns for detecting security misconfigurations in the top 10 web frameworks. Each framework section includes: 1. **Configuration file patterns** - Settings in config files (YAML, JSON, TOML, .env) 2. **Code patterns** - Dangerous patterns in application code 3. **Missing protection patterns** - Required security that's absent 4. **Known CVEs** - Recent vulnerabilities to detect --- ## 1. Spring Boot Security (Java) **Impact:** HIGH | **Effort:** HIGH | **Languages:** Java, YAML, Properties ### Configuration Misconfigurations #### application.yml / application.properties ```yaml # CRITICAL: Security disabled security: basic: enabled: false # Auth disabled entirely # CRITICAL: CSRF disabled spring: security: csrf: enabled: false # CSRF protection disabled # HIGH: Debug mode in production spring: devtools: restart: enabled: true # Dev tools in production # HIGH: Clickjacking vulnerability security: headers: frame-options: DISABLE # X-Frame-Options disabled content-type-options: DISABLE xss-protection: false # MEDIUM: Actuator endpoints exposed management: endpoints: web: exposure: include: "*" # All actuator endpoints exposed endpoint: health: show-details: always # Health details exposed ``` ```properties # Properties file equivalents security.basic.enabled=false spring.security.csrf.enabled=false management.endpoints.web.exposure.include=* ``` ### Java Code Patterns ```java // CRITICAL: CSRF disabled programmatically @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable(); // CSRF disabled } } // CRITICAL: Permit all requests (auth bypass) http.authorizeRequests() .antMatchers("/**").permitAll(); // Everything public http.authorizeRequests() .anyRequest().permitAll(); // Everything public // HIGH: Frame options disabled http.headers().frameOptions().disable(); http.headers().contentTypeOptions().disable(); http.headers().xssProtection().disable(); // HIGH: Session fixation not protected http.sessionManagement() .sessionFixation().none(); // No session fixation protection // MEDIUM: Remember-me with weak key http.rememberMe() .key("simple-key"); // Weak remember-me key ``` ### Regex Patterns for Extractor ```rust // Config patterns (YAML/Properties) r"(?i)security[.\s:]*basic[.\s:]*enabled[.\s:=]+false" r"(?i)csrf[.\s:]*enabled[.\s:=]+false" r"(?i)frame-options[.\s:=]+(?:DISABLE|disable|none)" r"(?i)exposure[.\s:]*include[.\s:=]+[\"']?\*[\"']?" r"(?i)devtools[.\s:]*restart[.\s:]*enabled[.\s:=]+true" // Java code patterns r"\.csrf\(\)\.disable\(\)" r"\.antMatchers\([\"']/\*\*[\"']\)\.permitAll\(\)" r"\.anyRequest\(\)\.permitAll\(\)" r"\.frameOptions\(\)\.disable\(\)" r"\.sessionFixation\(\)\.none\(\)" ``` ### Sources - [Spring Boot Security Best Practices 2025](https://hub.corgea.com/articles/spring-boot-security-best-practices) - [Baeldung CSRF Guide](https://www.baeldung.com/spring-security-csrf) - [Spring Security CSRF Docs](https://docs.spring.io/spring-security/reference/features/exploits/csrf.html) --- ## 2. Django Security (Python) **Impact:** HIGH | **Effort:** MEDIUM | **Languages:** Python ### settings.py Misconfigurations ```python # CRITICAL: Debug mode in production DEBUG = True # Must be False in production # CRITICAL: All hosts allowed ALLOWED_HOSTS = ['*'] # Should be specific domains ALLOWED_HOSTS = [] # Empty in production is also dangerous # HIGH: Insecure cookies SESSION_COOKIE_SECURE = False # Cookies sent over HTTP CSRF_COOKIE_SECURE = False # CSRF cookie sent over HTTP SESSION_COOKIE_HTTPONLY = False # Cookie accessible to JS # HIGH: Security headers disabled SECURE_BROWSER_XSS_FILTER = False SECURE_CONTENT_TYPE_NOSNIFF = False X_FRAME_OPTIONS = 'ALLOWALL' # or None, or missing # HIGH: HSTS disabled SECURE_HSTS_SECONDS = 0 # HSTS disabled SECURE_HSTS_INCLUDE_SUBDOMAINS = False SECURE_HSTS_PRELOAD = False # HIGH: SSL redirect disabled SECURE_SSL_REDIRECT = False # MEDIUM: Weak password hashers PASSWORD_HASHERS = [ 'django.contrib.auth.hashers.MD5PasswordHasher', # Weak! 'django.contrib.auth.hashers.SHA1PasswordHasher', # Weak! ] # MEDIUM: Session engine insecure SESSION_ENGINE = 'django.contrib.sessions.backends.file' # File-based sessions ``` ### Code Patterns ```python # CRITICAL: Raw SQL with user input User.objects.raw("SELECT * FROM users WHERE id = %s" % user_id) User.objects.raw(f"SELECT * FROM users WHERE id = {user_id}") # HIGH: extra() with user input User.objects.extra(where=["name = '%s'" % name]) User.objects.extra(select={'name': "name = %s" % value}) # HIGH: Eval/exec with user input eval(request.GET.get('code')) exec(request.POST['script']) # HIGH: CSRF exempt decorator @csrf_exempt def my_view(request): pass # MEDIUM: Hardcoded SECRET_KEY SECRET_KEY = 'django-insecure-...' SECRET_KEY = 'my-secret-key' ``` ### Regex Patterns for Extractor ```rust // settings.py patterns r"(?i)^\s*DEBUG\s*=\s*True" r"(?i)ALLOWED_HOSTS\s*=\s*\[\s*['\"]?\*['\"]?\s*\]" r"(?i)SESSION_COOKIE_SECURE\s*=\s*False" r"(?i)CSRF_COOKIE_SECURE\s*=\s*False" r"(?i)SECURE_SSL_REDIRECT\s*=\s*False" r"(?i)SECURE_HSTS_SECONDS\s*=\s*0" r"(?i)X_FRAME_OPTIONS\s*=\s*['\"]?(?:ALLOWALL|None)['\"]?" r"(?i)MD5PasswordHasher|SHA1PasswordHasher" // Code patterns r"\.objects\.raw\s*\([^)]*[%f]['\"]" r"\.extra\s*\(\s*(?:where|select)\s*=\s*\[" r"@csrf_exempt" r"(?i)SECRET_KEY\s*=\s*['\"][^'\"]{0,50}['\"]" // Short/hardcoded keys ``` ### Sources - [Django Security Documentation](https://docs.djangoproject.com/en/6.0/topics/security/) - [Django Deployment Checklist](https://docs.djangoproject.com/en/6.0/howto/deployment/checklist/) - [OWASP Django Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Django_Security_Cheat_Sheet.html) - [Medium: Django Security Best Practices 2025](https://shiladityamajumder.medium.com/how-to-secure-your-django-application-best-practices-for-2025-e9234cf71ab7) --- ## 3. Express.js Security (Node.js) **Impact:** HIGH | **Effort:** MEDIUM | **Languages:** JavaScript, TypeScript ### Missing Security Middleware ```javascript // CRITICAL: No helmet middleware (look for absence) const app = express(); // Missing: app.use(helmet()); // CRITICAL: CORS allows all origins with credentials app.use(cors({ origin: '*', credentials: true // Dangerous combination! })); app.use(cors({ origin: true, // Reflects any origin credentials: true })); // HIGH: Trust proxy misconfigured app.set('trust proxy', true); // Should be specific app.enable('trust proxy'); // HIGH: x-powered-by not disabled // Missing: app.disable('x-powered-by'); ``` ### Cookie Misconfigurations ```javascript // HIGH: Insecure session cookies app.use(session({ secret: 'keyboard cat', // Weak secret cookie: { secure: false, // Not HTTPS-only httpOnly: false, // Accessible to JS sameSite: 'none' // Cross-site allowed } })); // HIGH: Individual cookie settings res.cookie('session', value, { secure: false, httpOnly: false, sameSite: 'none' }); ``` ### Security Header Issues ```javascript // MEDIUM: Manually setting weak headers res.setHeader('X-Frame-Options', 'ALLOWALL'); res.setHeader('X-XSS-Protection', '0'); res.removeHeader('X-Content-Type-Options'); // MEDIUM: CSP with unsafe directives res.setHeader('Content-Security-Policy', "default-src 'self' 'unsafe-inline' 'unsafe-eval'"); ``` ### Regex Patterns for Extractor ```rust // Missing helmet detection (heuristic) // Look for express() without helmet() r"const\s+app\s*=\s*express\(\)" // Then check for absence of helmet // CORS misconfigurations r"cors\s*\(\s*\{[^}]*origin\s*:\s*['\"]?\*['\"]?[^}]*credentials\s*:\s*true" r"cors\s*\(\s*\{[^}]*origin\s*:\s*true[^}]*credentials\s*:\s*true" // Cookie security r"(?:session|cookie)\s*[:(]\s*\{[^}]*secure\s*:\s*false" r"(?:session|cookie)\s*[:(]\s*\{[^}]*httpOnly\s*:\s*false" r"(?:session|cookie)\s*[:(]\s*\{[^}]*sameSite\s*:\s*['\"]none['\"]" // Weak session secret r"session\s*\(\s*\{[^}]*secret\s*:\s*['\"][^'\"]{1,20}['\"]" ``` ### Sources - [Express.js Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html) - [Helmet.js GitHub](https://github.com/helmetjs/helmet) - [Express Security Best Practices 2025](https://hub.corgea.com/articles/express-security-best-practices-2025) - [LogRocket: Using Helmet in Node.js](https://blog.logrocket.com/using-helmet-node-js-secure-application/) --- ## 4. Ruby on Rails Security **Impact:** HIGH | **Effort:** MEDIUM | **Languages:** Ruby, YAML ### Production Configuration (config/environments/production.rb) ```ruby # CRITICAL: Force SSL disabled config.force_ssl = false # Should be true # HIGH: Cookie security disabled config.action_dispatch.cookies_same_site_protection = :none config.session_store :cookie_store, secure: false config.session_store :cookie_store, httponly: false # HIGH: Forgery protection disabled config.action_controller.allow_forgery_protection = false # MEDIUM: Asset host insecure config.action_controller.asset_host = 'http://...' # Not HTTPS # MEDIUM: Log level too verbose config.log_level = :debug # In production ``` ### Application Code Patterns ```ruby # CRITICAL: CSRF protection disabled class ApplicationController < ActionController::Base skip_before_action :verify_authenticity_token protect_from_forgery with: :null_session # Disabled end # CRITICAL: SQL injection User.where("name = '#{params[:name]}'") User.where("name = '" + params[:name] + "'") User.find_by_sql("SELECT * FROM users WHERE id = #{params[:id]}") # HIGH: Mass assignment vulnerability User.new(params[:user]) # Without strong parameters User.create(params.permit!) # Permits everything # HIGH: Render user input render inline: params[:template] render html: params[:content].html_safe # MEDIUM: Hardcoded secrets Rails.application.secrets.secret_key_base = 'hardcoded' ``` ### config/secrets.yml Patterns ```yaml # MEDIUM: Hardcoded production secrets production: secret_key_base: "abc123..." # Should use ENV ``` ### Regex Patterns for Extractor ```rust // Production config r"config\.force_ssl\s*=\s*false" r"cookies_same_site_protection\s*=\s*:none" r"allow_forgery_protection\s*=\s*false" r"session_store\s*:[^,]+,\s*secure:\s*false" // Code patterns r"skip_before_action\s*:verify_authenticity_token" r"protect_from_forgery\s+with:\s*:null_session" r"\.where\s*\(['\"][^'\"]*#\{[^}]*params" r"find_by_sql\s*\(['\"][^'\"]*#\{[^}]*params" r"\.html_safe" r"render\s+(?:inline|html):\s*params" ``` ### Sources - [Rails Security Guide](https://guides.rubyonrails.org/security.html) - [OWASP Rails Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Ruby_on_Rails_Cheat_Sheet.html) - [Rails Security Best Practices 2025](https://saastrail.com/rails-security-best-practices/) --- ## 5. ASP.NET Core Security (C#) **Impact:** HIGH | **Effort:** HIGH | **Languages:** C#, JSON ### appsettings.json Misconfigurations ```json { "Jwt": { "ValidateIssuer": false, "ValidateAudience": false, "ValidateLifetime": false }, "Cors": { "AllowedOrigins": ["*"], "AllowCredentials": true }, "Logging": { "LogLevel": { "Default": "Debug" // Too verbose for production } } } ``` ### C# Code Patterns ```csharp // CRITICAL: CSRF disabled services.AddControllersWithViews(options => { options.Filters.Add(new IgnoreAntiforgeryTokenAttribute()); }); [IgnoreAntiforgeryToken] public IActionResult Submit() { } // CRITICAL: CORS allows all with credentials services.AddCors(options => { options.AddPolicy("AllowAll", builder => { builder.AllowAnyOrigin() .AllowCredentials(); // Dangerous! }); }); // HIGH: JWT validation disabled services.AddAuthentication().AddJwtBearer(options => { options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, ValidateAudience = false, ValidateLifetime = false, ValidateIssuerSigningKey = false }; }); // HIGH: Insecure cookies services.ConfigureApplicationCookie(options => { options.Cookie.SecurePolicy = CookieSecurePolicy.None; options.Cookie.HttpOnly = false; options.Cookie.SameSite = SameSiteMode.None; }); // HIGH: HTTPS not required app.UseHttpsRedirection(); // Check if missing // MEDIUM: Development exception page in production app.UseDeveloperExceptionPage(); // Should be in if(env.IsDevelopment()) ``` ### Regex Patterns for Extractor ```rust // C# patterns r"IgnoreAntiforgeryToken" r"ValidateIssuer\s*=\s*false" r"ValidateAudience\s*=\s*false" r"ValidateLifetime\s*=\s*false" r"AllowAnyOrigin\(\)[^;]*AllowCredentials\(\)" r"SecurePolicy\s*=\s*CookieSecurePolicy\.None" r"HttpOnly\s*=\s*false" r"SameSite\s*=\s*SameSiteMode\.None" r"UseDeveloperExceptionPage\(\)" ``` ### Sources - [Microsoft ASP.NET Core Security Docs](https://learn.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-8.0) - [Anti-Forgery in ASP.NET Core](https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-9.0) - [ASP.NET Core Security Best Practices 2025](https://www.c-sharpcorner.com/article/best-practices-to-secure-asp-net-core-apis-against-modern-attacks-2025-edition/) --- ## 6. Laravel Security (PHP) **Impact:** HIGH | **Effort:** MEDIUM | **Languages:** PHP ### .env Misconfigurations ```bash # CRITICAL: Debug mode in production APP_DEBUG=true # Must be false # CRITICAL: APP_KEY exposed or weak APP_KEY=base64:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # Weak APP_KEY= # Empty! # HIGH: Session/cookie insecurity SESSION_SECURE_COOKIE=false SESSION_HTTP_ONLY=false # MEDIUM: Insecure driver SESSION_DRIVER=file # Should be redis/database in production ``` ### config/*.php Misconfigurations ```php // config/app.php 'debug' => true, // Should be env('APP_DEBUG', false) 'key' => 'SomeWeakKey', // Hardcoded key // config/session.php 'secure' => false, 'http_only' => false, 'same_site' => null, // config/cors.php 'allowed_origins' => ['*'], 'supports_credentials' => true, // Dangerous combination ``` ### PHP Code Patterns ```php // CRITICAL: CSRF verification disabled class Controller extends BaseController { protected $except = ['*']; // All routes exempt } // In VerifyCsrfToken middleware protected $except = [ 'api/*', // Entire API exempt 'webhook/*', ]; // CRITICAL: Mass assignment vulnerability User::create($request->all()); User::update($request->all()); $user->fill($request->all()); // HIGH: Raw queries with user input DB::raw("SELECT * FROM users WHERE id = " . $request->id); DB::select("SELECT * FROM users WHERE id = {$id}"); // HIGH: Eval/exec eval($request->code); exec($request->command); shell_exec($request->cmd); // MEDIUM: Hardcoded credentials 'password' => 'secret', 'api_key' => 'hardcoded_key', ``` ### Known CVEs (2024-2025) ``` CVE-2024-52301 (CVSS 8.7): register_argc_argv vulnerability - Attackers can manipulate environment settings via crafted query strings - Detect: Check for vulnerable Laravel versions ``` ### Regex Patterns for Extractor ```rust // .env patterns r"(?i)^APP_DEBUG\s*=\s*true" r"(?i)^APP_KEY\s*=\s*$" // Empty key r"(?i)^SESSION_SECURE_COOKIE\s*=\s*false" // PHP config patterns r"['\"]debug['\"]\s*=>\s*true" r"protected\s+\$except\s*=\s*\[\s*['\"]?\*['\"]?\s*\]" r"::create\s*\(\s*\$request->all\(\)\s*\)" r"DB::raw\s*\(['\"][^'\"]*\.\s*\$" r"DB::select\s*\(['\"][^'\"]*\{\$" ``` ### Sources - [Laravel CSRF Documentation](https://laravel.com/docs/12.x/csrf) - [Laravel Security Best Practices 2025](https://dev.to/sharifcse58/15-laravel-security-best-practices-in-2025-2lco) - [GitGuardian: APP_KEY Leaks](https://blog.gitguardian.com/exploiting-public-app_key-leaks/) - [CVE-2024-52301 Analysis](https://dev.to/saanchitapaul/high-severity-laravel-vulnerability-cve-2024-52301-awareness-and-action-required-15po) --- ## 7. FastAPI Security (Python) **Impact:** MEDIUM | **Effort:** LOW | **Languages:** Python ### Security Misconfigurations ```python # CRITICAL: CORS allows all with credentials from fastapi.middleware.cors import CORSMiddleware app.add_middleware( CORSMiddleware, allow_origins=["*"], allow_credentials=True, # Dangerous combination! allow_methods=["*"], allow_headers=["*"], ) # HIGH: No authentication on sensitive endpoints @app.get("/admin/users") async def get_users(): # No Depends(get_current_user) return db.get_all_users() # HIGH: Hardcoded secrets SECRET_KEY = "mysecretkey" JWT_SECRET = "jwt-secret-key" # MEDIUM: Debug mode app = FastAPI(debug=True) # Should be False in production # MEDIUM: Weak password hashing from passlib.hash import md5_crypt # Weak! pwd_context = CryptContext(schemes=["md5_crypt"]) ``` ### Regex Patterns for Extractor ```rust r"allow_origins\s*=\s*\[\s*['\"]?\*['\"]?\s*\][^)]*allow_credentials\s*=\s*True" r"FastAPI\s*\([^)]*debug\s*=\s*True" r"(?:SECRET_KEY|JWT_SECRET)\s*=\s*['\"][^'\"]{1,30}['\"]" r"CryptContext\s*\([^)]*md5" ``` ### Sources - [FastAPI Security Tutorial](https://fastapi.tiangolo.com/tutorial/security/) - [FastAPI OAuth2/JWT Guide](https://fastapi.tiangolo.com/tutorial/security/oauth2-jwt/) - [FastAPI Security Best Practices](https://app-generator.dev/docs/technologies/fastapi/security-best-practices.html) --- ## 8. Next.js Security **Impact:** HIGH | **Effort:** HIGH | **Languages:** JavaScript, TypeScript ### Critical: CVE-2025-29927 Middleware Bypass ```javascript // CRITICAL: Relying only on middleware for auth // middleware.ts export function middleware(request) { // Auth check here is BYPASSABLE in affected versions! if (!isAuthenticated(request)) { return NextResponse.redirect('/login'); } } // Attackers can bypass with: x-middleware-subrequest header ``` ### Configuration Misconfigurations ```javascript // next.config.js // HIGH: Security headers missing or weak const nextConfig = { // Missing headers configuration }; // HIGH: Experimental features in production const nextConfig = { experimental: { serverActions: true, // Requires careful handling }, }; // MEDIUM: Powered-by header not removed const nextConfig = { poweredByHeader: true, // Should be false }; ``` ### Code Patterns ```javascript // HIGH: Auth not checked in Server Actions 'use server'; export async function deleteUser(id) { // No auth check! await db.users.delete(id); } // HIGH: Sensitive data in client components 'use client'; export function Dashboard({ user }) { // user.password or user.ssn exposed to client console.log(user.apiKey); } // MEDIUM: Environment variables exposed const API_KEY = process.env.API_KEY; // In client component ``` ### Regex Patterns for Extractor ```rust // Middleware-only auth (warning about CVE) r"export\s+(?:async\s+)?function\s+middleware" // Then check for auth logic // Missing auth in Server Actions r"['\"]use server['\"]\s*;[^}]*async\s+function\s+\w+[^}]*db\." // Exposed secrets in client r"['\"]use client['\"]\s*;[^}]*process\.env\.\w+(?:KEY|SECRET|TOKEN)" // Config issues r"poweredByHeader\s*:\s*true" ``` ### Sources - [CVE-2025-29927 Analysis](https://projectdiscovery.io/blog/nextjs-middleware-authorization-bypass) - [Complete Next.js Security Guide 2025](https://www.turbostarter.dev/blog/complete-nextjs-security-guide-2025-authentication-api-protection-and-best-practices) - [Next.js Authentication Best Practices 2025](https://www.franciscomoretti.com/blog/modern-nextjs-authentication-best-practices) --- ## 9. Flask Security (Python) **Impact:** MEDIUM | **Effort:** LOW | **Languages:** Python ### Configuration Misconfigurations ```python # CRITICAL: No secret key or weak secret app.secret_key = None app.secret_key = '' app.secret_key = 'dev' app.config['SECRET_KEY'] = 'simple' # HIGH: Session cookie security disabled app.config['SESSION_COOKIE_SECURE'] = False app.config['SESSION_COOKIE_HTTPONLY'] = False app.config['SESSION_COOKIE_SAMESITE'] = None # HIGH: Debug mode in production app.debug = True app.config['DEBUG'] = True app.run(debug=True) # MEDIUM: Permanent session lifetime too long app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(days=365) ``` ### Code Patterns ```python # CRITICAL: CSRF protection disabled from flask_wtf.csrf import CSRFProtect # Missing: csrf = CSRFProtect(app) # Or explicitly disabled app.config['WTF_CSRF_ENABLED'] = False # HIGH: SQL injection db.execute(f"SELECT * FROM users WHERE id = {user_id}") db.execute("SELECT * FROM users WHERE id = " + request.args.get('id')) # HIGH: Hardcoded secrets in code app.secret_key = 'mysupersecretkey' API_KEY = 'hardcoded-api-key' # MEDIUM: Unsafe file handling @app.route('/upload', methods=['POST']) def upload(): f = request.files['file'] f.save('/uploads/' + f.filename) # Path traversal! ``` ### Regex Patterns for Extractor ```rust // Config patterns r"(?:app\.secret_key|SECRET_KEY)\s*=\s*(?:None|''|['\"][^'\"]{0,20}['\"])" r"SESSION_COOKIE_SECURE['\"]?\s*[=:]\s*False" r"SESSION_COOKIE_HTTPONLY['\"]?\s*[=:]\s*False" r"WTF_CSRF_ENABLED['\"]?\s*[=:]\s*False" r"app\.(?:debug|run\([^)]*debug)\s*=\s*True" r"DEBUG['\"]?\s*[=:]\s*True" // Code patterns r"db\.execute\s*\([^)]*[f\"][^)]*\{[^}]*request" r"\.save\s*\([^)]*\+[^)]*filename" ``` ### Sources - [Flask Security Documentation](https://flask.palletsprojects.com/en/stable/web-security/) - [Flask Security Best Practices 2025](https://hub.corgea.com/articles/flask-security-best-practices-2025) - [Miguel Grinberg: Flask Cookie Security](https://blog.miguelgrinberg.com/post/cookie-security-for-flask-applications) --- ## 10. NestJS Security (TypeScript) **Impact:** MEDIUM | **Effort:** MEDIUM | **Languages:** TypeScript ### Configuration Misconfigurations ```typescript // CRITICAL: CORS allows all with credentials app.enableCors({ origin: '*', credentials: true, // Dangerous! }); app.enableCors({ origin: true, // Reflects any origin credentials: true, }); // HIGH: Helmet not used // Missing: app.use(helmet()); // HIGH: Rate limiting not configured // Missing: app.useGlobalGuards(new ThrottlerGuard()); // MEDIUM: Validation pipe not global // Missing: app.useGlobalPipes(new ValidationPipe()); ``` ### Code Patterns ```typescript // HIGH: Guards disabled or skipped @Public() // Custom decorator bypassing auth @SkipAuth() @SetMetadata('isPublic', true) // HIGH: No auth guard on sensitive routes @Controller('admin') export class AdminController { @Get('users') // Missing @UseGuards(AuthGuard) getUsers() { } } // HIGH: Raw query with user input await this.entityManager.query( `SELECT * FROM users WHERE id = ${userId}` ); // MEDIUM: Weak JWT configuration JwtModule.register({ secret: 'weak-secret', signOptions: { expiresIn: '365d' }, // Too long }); // MEDIUM: Debug logging Logger.debug(sensitiveData); ``` ### Regex Patterns for Extractor ```rust // CORS issues r"enableCors\s*\(\s*\{[^}]*origin\s*:\s*(?:['\"]?\*['\"]?|true)[^}]*credentials\s*:\s*true" // Missing security (heuristic - check for absence) r"import.*NestFactory" // Then check for helmet, throttler // Auth bypass r"@(?:Public|SkipAuth)\(\)" r"SetMetadata\s*\(\s*['\"]isPublic['\"]" // SQL injection in TypeORM r"\.query\s*\(\s*`[^`]*\$\{[^}]*\}`" r"\.query\s*\([^)]*\+[^)]*\)" // Weak JWT r"JwtModule\.register\s*\(\s*\{[^}]*secret\s*:\s*['\"][^'\"]{1,30}['\"]" ``` ### Sources - [NestJS Helmet Docs](https://docs.nestjs.com/security/helmet) - [NestJS Security Best Practices](https://moldstud.com/articles/p-top-nestjs-security-best-practices-comprehensive-faq-for-developers) - [Secure NestJS Application Guide](https://javascript.plainenglish.io/secure-your-nestjs-application-production-ready-defaults-for-safety-and-dx-1b6896b1ce74) --- ## Implementation Strategy ### Phase 8.2.1: Spring Boot (Java) **Files:** `extractors/spring_security.rs` **Languages:** `Java`, `Yaml`, `Properties` **Priority:** HIGH (most enterprise usage) | Pattern Type | Count | Complexity | |--------------|-------|------------| | Config (YAML/Properties) | 8 | LOW | | Java Code | 10 | MEDIUM | ### Phase 8.2.2: Django (Python) **Files:** `extractors/django_security.rs` **Languages:** `Python` **Priority:** HIGH (already have Python support) | Pattern Type | Count | Complexity | |--------------|-------|------------| | settings.py | 12 | LOW | | Code patterns | 6 | LOW | ### Phase 8.2.3: Express.js (JavaScript/TypeScript) **Files:** `extractors/express_security.rs` **Languages:** `JavaScript`, `TypeScript` **Priority:** HIGH (very common) | Pattern Type | Count | Complexity | |--------------|-------|------------| | Middleware config | 8 | MEDIUM | | Cookie settings | 6 | LOW | ### Phase 8.2.4: Rails (Ruby) **Files:** `extractors/rails_security.rs` **Languages:** `Ruby`, `Yaml` **Priority:** MEDIUM | Pattern Type | Count | Complexity | |--------------|-------|------------| | Config (production.rb) | 6 | LOW | | Code patterns | 8 | MEDIUM | ### Phase 8.2.5: Additional Frameworks **Laravel, ASP.NET, FastAPI, Next.js, Flask, NestJS** These can be implemented incrementally using the patterns documented above. --- ## Summary: Total Patterns | Framework | Config Patterns | Code Patterns | Total | |-----------|-----------------|---------------|-------| | Spring Boot | 8 | 10 | 18 | | Django | 12 | 6 | 18 | | Express.js | 8 | 6 | 14 | | Rails | 6 | 8 | 14 | | ASP.NET Core | 5 | 8 | 13 | | Laravel | 6 | 8 | 14 | | FastAPI | 4 | 2 | 6 | | Next.js | 3 | 4 | 7 | | Flask | 6 | 4 | 10 | | NestJS | 4 | 6 | 10 | | **Total** | **62** | **62** | **124** | --- ## New Languages Required | Language | Extension | Used By | |----------|-----------|---------| | Java | `.java` | Spring Boot | | C# | `.cs` | ASP.NET Core | | PHP | `.php` | Laravel | | Properties | `.properties` | Spring Boot | **Note:** Ruby support may need enhancement for Rails patterns. --- ## Recommended Implementation Order 1. **Django** - Reuse existing Python infrastructure, HIGH value 2. **Express.js** - Reuse existing JS/TS infrastructure, HIGH value 3. **Spring Boot** - Requires Java language support, VERY HIGH enterprise value 4. **Laravel** - Requires PHP language support, HIGH value 5. **Rails** - Requires Ruby language enhancement, MEDIUM value 6. **FastAPI** - Reuse Python, MEDIUM value 7. **Flask** - Reuse Python, MEDIUM value 8. **NestJS** - Reuse TypeScript, MEDIUM value 9. **Next.js** - Reuse TypeScript, MEDIUM value (CVE detection important) 10. **ASP.NET Core** - Requires C# language support, MEDIUM value