157dbbb9eb
## Phase 8: Enterprise Extractor Improvements ✅ - 14 security extractors (TLS, JWT, SQL injection, XSS, etc.) - 10 framework-specific extractors (Spring, Django, Rails, etc.) - Config file security detection (YAML, TOML) ## Phase 9: Autonomous Extractor Generation ✅ - Shadow mode executor with TP/FP tracking - Graduation pipeline with confidence thresholds - Auto-rollback on regression detection - Cross-project pattern syncing ## UAT Suite Complete (14 scripts, 90 tests) - test-core-detection.sh (6 tests) - test-declarative-extractors.sh (5 tests) - test-domain-frameworks.sh (5 tests) - test-domain-unreal.sh (3 tests) - test-llm-extraction.sh (6 tests) - test-eval-harness.sh (5 tests) - test-cross-language.sh (3 tests) - test-precommit-performance.sh (4 tests) - test-output-formats.sh (8 tests) - test-drift-detection.sh (6 tests) - test-exit-codes.sh (12 tests) + 3 more scripts ## Other Changes - Updated roadmap to mark Phase 8-9 complete - Added .gitignore entries for build artifacts - Updated pre-commit: 800 line limit, exclude tests/data/cmd Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
26 KiB
26 KiB
Phase 8.2: Framework-Specific Security Extractors
Research Date: 2026-02-05 Purpose: Implementation guide for framework-specific security extractors based on modern best practices (2024-2025)
Overview
This document provides comprehensive patterns for detecting security misconfigurations in the top 10 web frameworks. Each framework section includes:
- Configuration file patterns - Settings in config files (YAML, JSON, TOML, .env)
- Code patterns - Dangerous patterns in application code
- Missing protection patterns - Required security that's absent
- Known CVEs - Recent vulnerabilities to detect
1. Spring Boot Security (Java)
Impact: HIGH | Effort: HIGH | Languages: Java, YAML, Properties
Configuration Misconfigurations
application.yml / application.properties
# CRITICAL: Security disabled
security:
basic:
enabled: false # Auth disabled entirely
# CRITICAL: CSRF disabled
spring:
security:
csrf:
enabled: false # CSRF protection disabled
# HIGH: Debug mode in production
spring:
devtools:
restart:
enabled: true # Dev tools in production
# HIGH: Clickjacking vulnerability
security:
headers:
frame-options: DISABLE # X-Frame-Options disabled
content-type-options: DISABLE
xss-protection: false
# MEDIUM: Actuator endpoints exposed
management:
endpoints:
web:
exposure:
include: "*" # All actuator endpoints exposed
endpoint:
health:
show-details: always # Health details exposed
# Properties file equivalents
security.basic.enabled=false
spring.security.csrf.enabled=false
management.endpoints.web.exposure.include=*
Java Code Patterns
// CRITICAL: CSRF disabled programmatically
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable(); // CSRF disabled
}
}
// CRITICAL: Permit all requests (auth bypass)
http.authorizeRequests()
.antMatchers("/**").permitAll(); // Everything public
http.authorizeRequests()
.anyRequest().permitAll(); // Everything public
// HIGH: Frame options disabled
http.headers().frameOptions().disable();
http.headers().contentTypeOptions().disable();
http.headers().xssProtection().disable();
// HIGH: Session fixation not protected
http.sessionManagement()
.sessionFixation().none(); // No session fixation protection
// MEDIUM: Remember-me with weak key
http.rememberMe()
.key("simple-key"); // Weak remember-me key
Regex Patterns for Extractor
// Config patterns (YAML/Properties)
r"(?i)security[.\s:]*basic[.\s:]*enabled[.\s:=]+false"
r"(?i)csrf[.\s:]*enabled[.\s:=]+false"
r"(?i)frame-options[.\s:=]+(?:DISABLE|disable|none)"
r"(?i)exposure[.\s:]*include[.\s:=]+[\"']?\*[\"']?"
r"(?i)devtools[.\s:]*restart[.\s:]*enabled[.\s:=]+true"
// Java code patterns
r"\.csrf\(\)\.disable\(\)"
r"\.antMatchers\([\"']/\*\*[\"']\)\.permitAll\(\)"
r"\.anyRequest\(\)\.permitAll\(\)"
r"\.frameOptions\(\)\.disable\(\)"
r"\.sessionFixation\(\)\.none\(\)"
Sources
2. Django Security (Python)
Impact: HIGH | Effort: MEDIUM | Languages: Python
settings.py Misconfigurations
# CRITICAL: Debug mode in production
DEBUG = True # Must be False in production
# CRITICAL: All hosts allowed
ALLOWED_HOSTS = ['*'] # Should be specific domains
ALLOWED_HOSTS = [] # Empty in production is also dangerous
# HIGH: Insecure cookies
SESSION_COOKIE_SECURE = False # Cookies sent over HTTP
CSRF_COOKIE_SECURE = False # CSRF cookie sent over HTTP
SESSION_COOKIE_HTTPONLY = False # Cookie accessible to JS
# HIGH: Security headers disabled
SECURE_BROWSER_XSS_FILTER = False
SECURE_CONTENT_TYPE_NOSNIFF = False
X_FRAME_OPTIONS = 'ALLOWALL' # or None, or missing
# HIGH: HSTS disabled
SECURE_HSTS_SECONDS = 0 # HSTS disabled
SECURE_HSTS_INCLUDE_SUBDOMAINS = False
SECURE_HSTS_PRELOAD = False
# HIGH: SSL redirect disabled
SECURE_SSL_REDIRECT = False
# MEDIUM: Weak password hashers
PASSWORD_HASHERS = [
'django.contrib.auth.hashers.MD5PasswordHasher', # Weak!
'django.contrib.auth.hashers.SHA1PasswordHasher', # Weak!
]
# MEDIUM: Session engine insecure
SESSION_ENGINE = 'django.contrib.sessions.backends.file' # File-based sessions
Code Patterns
# CRITICAL: Raw SQL with user input
User.objects.raw("SELECT * FROM users WHERE id = %s" % user_id)
User.objects.raw(f"SELECT * FROM users WHERE id = {user_id}")
# HIGH: extra() with user input
User.objects.extra(where=["name = '%s'" % name])
User.objects.extra(select={'name': "name = %s" % value})
# HIGH: Eval/exec with user input
eval(request.GET.get('code'))
exec(request.POST['script'])
# HIGH: CSRF exempt decorator
@csrf_exempt
def my_view(request):
pass
# MEDIUM: Hardcoded SECRET_KEY
SECRET_KEY = 'django-insecure-...'
SECRET_KEY = 'my-secret-key'
Regex Patterns for Extractor
// settings.py patterns
r"(?i)^\s*DEBUG\s*=\s*True"
r"(?i)ALLOWED_HOSTS\s*=\s*\[\s*['\"]?\*['\"]?\s*\]"
r"(?i)SESSION_COOKIE_SECURE\s*=\s*False"
r"(?i)CSRF_COOKIE_SECURE\s*=\s*False"
r"(?i)SECURE_SSL_REDIRECT\s*=\s*False"
r"(?i)SECURE_HSTS_SECONDS\s*=\s*0"
r"(?i)X_FRAME_OPTIONS\s*=\s*['\"]?(?:ALLOWALL|None)['\"]?"
r"(?i)MD5PasswordHasher|SHA1PasswordHasher"
// Code patterns
r"\.objects\.raw\s*\([^)]*[%f]['\"]"
r"\.extra\s*\(\s*(?:where|select)\s*=\s*\["
r"@csrf_exempt"
r"(?i)SECRET_KEY\s*=\s*['\"][^'\"]{0,50}['\"]" // Short/hardcoded keys
Sources
- Django Security Documentation
- Django Deployment Checklist
- OWASP Django Cheat Sheet
- Medium: Django Security Best Practices 2025
3. Express.js Security (Node.js)
Impact: HIGH | Effort: MEDIUM | Languages: JavaScript, TypeScript
Missing Security Middleware
// CRITICAL: No helmet middleware (look for absence)
const app = express();
// Missing: app.use(helmet());
// CRITICAL: CORS allows all origins with credentials
app.use(cors({
origin: '*',
credentials: true // Dangerous combination!
}));
app.use(cors({
origin: true, // Reflects any origin
credentials: true
}));
// HIGH: Trust proxy misconfigured
app.set('trust proxy', true); // Should be specific
app.enable('trust proxy');
// HIGH: x-powered-by not disabled
// Missing: app.disable('x-powered-by');
Cookie Misconfigurations
// HIGH: Insecure session cookies
app.use(session({
secret: 'keyboard cat', // Weak secret
cookie: {
secure: false, // Not HTTPS-only
httpOnly: false, // Accessible to JS
sameSite: 'none' // Cross-site allowed
}
}));
// HIGH: Individual cookie settings
res.cookie('session', value, {
secure: false,
httpOnly: false,
sameSite: 'none'
});
Security Header Issues
// MEDIUM: Manually setting weak headers
res.setHeader('X-Frame-Options', 'ALLOWALL');
res.setHeader('X-XSS-Protection', '0');
res.removeHeader('X-Content-Type-Options');
// MEDIUM: CSP with unsafe directives
res.setHeader('Content-Security-Policy',
"default-src 'self' 'unsafe-inline' 'unsafe-eval'");
Regex Patterns for Extractor
// Missing helmet detection (heuristic)
// Look for express() without helmet()
r"const\s+app\s*=\s*express\(\)" // Then check for absence of helmet
// CORS misconfigurations
r"cors\s*\(\s*\{[^}]*origin\s*:\s*['\"]?\*['\"]?[^}]*credentials\s*:\s*true"
r"cors\s*\(\s*\{[^}]*origin\s*:\s*true[^}]*credentials\s*:\s*true"
// Cookie security
r"(?:session|cookie)\s*[:(]\s*\{[^}]*secure\s*:\s*false"
r"(?:session|cookie)\s*[:(]\s*\{[^}]*httpOnly\s*:\s*false"
r"(?:session|cookie)\s*[:(]\s*\{[^}]*sameSite\s*:\s*['\"]none['\"]"
// Weak session secret
r"session\s*\(\s*\{[^}]*secret\s*:\s*['\"][^'\"]{1,20}['\"]"
Sources
- Express.js Security Best Practices
- Helmet.js GitHub
- Express Security Best Practices 2025
- LogRocket: Using Helmet in Node.js
4. Ruby on Rails Security
Impact: HIGH | Effort: MEDIUM | Languages: Ruby, YAML
Production Configuration (config/environments/production.rb)
# CRITICAL: Force SSL disabled
config.force_ssl = false # Should be true
# HIGH: Cookie security disabled
config.action_dispatch.cookies_same_site_protection = :none
config.session_store :cookie_store, secure: false
config.session_store :cookie_store, httponly: false
# HIGH: Forgery protection disabled
config.action_controller.allow_forgery_protection = false
# MEDIUM: Asset host insecure
config.action_controller.asset_host = 'http://...' # Not HTTPS
# MEDIUM: Log level too verbose
config.log_level = :debug # In production
Application Code Patterns
# CRITICAL: CSRF protection disabled
class ApplicationController < ActionController::Base
skip_before_action :verify_authenticity_token
protect_from_forgery with: :null_session # Disabled
end
# CRITICAL: SQL injection
User.where("name = '#{params[:name]}'")
User.where("name = '" + params[:name] + "'")
User.find_by_sql("SELECT * FROM users WHERE id = #{params[:id]}")
# HIGH: Mass assignment vulnerability
User.new(params[:user]) # Without strong parameters
User.create(params.permit!) # Permits everything
# HIGH: Render user input
render inline: params[:template]
render html: params[:content].html_safe
# MEDIUM: Hardcoded secrets
Rails.application.secrets.secret_key_base = 'hardcoded'
config/secrets.yml Patterns
# MEDIUM: Hardcoded production secrets
production:
secret_key_base: "abc123..." # Should use ENV
Regex Patterns for Extractor
// Production config
r"config\.force_ssl\s*=\s*false"
r"cookies_same_site_protection\s*=\s*:none"
r"allow_forgery_protection\s*=\s*false"
r"session_store\s*:[^,]+,\s*secure:\s*false"
// Code patterns
r"skip_before_action\s*:verify_authenticity_token"
r"protect_from_forgery\s+with:\s*:null_session"
r"\.where\s*\(['\"][^'\"]*#\{[^}]*params"
r"find_by_sql\s*\(['\"][^'\"]*#\{[^}]*params"
r"\.html_safe"
r"render\s+(?:inline|html):\s*params"
Sources
5. ASP.NET Core Security (C#)
Impact: HIGH | Effort: HIGH | Languages: C#, JSON
appsettings.json Misconfigurations
{
"Jwt": {
"ValidateIssuer": false,
"ValidateAudience": false,
"ValidateLifetime": false
},
"Cors": {
"AllowedOrigins": ["*"],
"AllowCredentials": true
},
"Logging": {
"LogLevel": {
"Default": "Debug" // Too verbose for production
}
}
}
C# Code Patterns
// CRITICAL: CSRF disabled
services.AddControllersWithViews(options => {
options.Filters.Add(new IgnoreAntiforgeryTokenAttribute());
});
[IgnoreAntiforgeryToken]
public IActionResult Submit() { }
// CRITICAL: CORS allows all with credentials
services.AddCors(options => {
options.AddPolicy("AllowAll", builder => {
builder.AllowAnyOrigin()
.AllowCredentials(); // Dangerous!
});
});
// HIGH: JWT validation disabled
services.AddAuthentication().AddJwtBearer(options => {
options.TokenValidationParameters = new TokenValidationParameters {
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = false,
ValidateIssuerSigningKey = false
};
});
// HIGH: Insecure cookies
services.ConfigureApplicationCookie(options => {
options.Cookie.SecurePolicy = CookieSecurePolicy.None;
options.Cookie.HttpOnly = false;
options.Cookie.SameSite = SameSiteMode.None;
});
// HIGH: HTTPS not required
app.UseHttpsRedirection(); // Check if missing
// MEDIUM: Development exception page in production
app.UseDeveloperExceptionPage(); // Should be in if(env.IsDevelopment())
Regex Patterns for Extractor
// C# patterns
r"IgnoreAntiforgeryToken"
r"ValidateIssuer\s*=\s*false"
r"ValidateAudience\s*=\s*false"
r"ValidateLifetime\s*=\s*false"
r"AllowAnyOrigin\(\)[^;]*AllowCredentials\(\)"
r"SecurePolicy\s*=\s*CookieSecurePolicy\.None"
r"HttpOnly\s*=\s*false"
r"SameSite\s*=\s*SameSiteMode\.None"
r"UseDeveloperExceptionPage\(\)"
Sources
- Microsoft ASP.NET Core Security Docs
- Anti-Forgery in ASP.NET Core
- ASP.NET Core Security Best Practices 2025
6. Laravel Security (PHP)
Impact: HIGH | Effort: MEDIUM | Languages: PHP
.env Misconfigurations
# CRITICAL: Debug mode in production
APP_DEBUG=true # Must be false
# CRITICAL: APP_KEY exposed or weak
APP_KEY=base64:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= # Weak
APP_KEY= # Empty!
# HIGH: Session/cookie insecurity
SESSION_SECURE_COOKIE=false
SESSION_HTTP_ONLY=false
# MEDIUM: Insecure driver
SESSION_DRIVER=file # Should be redis/database in production
config/*.php Misconfigurations
// config/app.php
'debug' => true, // Should be env('APP_DEBUG', false)
'key' => 'SomeWeakKey', // Hardcoded key
// config/session.php
'secure' => false,
'http_only' => false,
'same_site' => null,
// config/cors.php
'allowed_origins' => ['*'],
'supports_credentials' => true, // Dangerous combination
PHP Code Patterns
// CRITICAL: CSRF verification disabled
class Controller extends BaseController {
protected $except = ['*']; // All routes exempt
}
// In VerifyCsrfToken middleware
protected $except = [
'api/*', // Entire API exempt
'webhook/*',
];
// CRITICAL: Mass assignment vulnerability
User::create($request->all());
User::update($request->all());
$user->fill($request->all());
// HIGH: Raw queries with user input
DB::raw("SELECT * FROM users WHERE id = " . $request->id);
DB::select("SELECT * FROM users WHERE id = {$id}");
// HIGH: Eval/exec
eval($request->code);
exec($request->command);
shell_exec($request->cmd);
// MEDIUM: Hardcoded credentials
'password' => 'secret',
'api_key' => 'hardcoded_key',
Known CVEs (2024-2025)
CVE-2024-52301 (CVSS 8.7): register_argc_argv vulnerability
- Attackers can manipulate environment settings via crafted query strings
- Detect: Check for vulnerable Laravel versions
Regex Patterns for Extractor
// .env patterns
r"(?i)^APP_DEBUG\s*=\s*true"
r"(?i)^APP_KEY\s*=\s*$" // Empty key
r"(?i)^SESSION_SECURE_COOKIE\s*=\s*false"
// PHP config patterns
r"['\"]debug['\"]\s*=>\s*true"
r"protected\s+\$except\s*=\s*\[\s*['\"]?\*['\"]?\s*\]"
r"::create\s*\(\s*\$request->all\(\)\s*\)"
r"DB::raw\s*\(['\"][^'\"]*\.\s*\$"
r"DB::select\s*\(['\"][^'\"]*\{\$"
Sources
- Laravel CSRF Documentation
- Laravel Security Best Practices 2025
- GitGuardian: APP_KEY Leaks
- CVE-2024-52301 Analysis
7. FastAPI Security (Python)
Impact: MEDIUM | Effort: LOW | Languages: Python
Security Misconfigurations
# CRITICAL: CORS allows all with credentials
from fastapi.middleware.cors import CORSMiddleware
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True, # Dangerous combination!
allow_methods=["*"],
allow_headers=["*"],
)
# HIGH: No authentication on sensitive endpoints
@app.get("/admin/users")
async def get_users(): # No Depends(get_current_user)
return db.get_all_users()
# HIGH: Hardcoded secrets
SECRET_KEY = "mysecretkey"
JWT_SECRET = "jwt-secret-key"
# MEDIUM: Debug mode
app = FastAPI(debug=True) # Should be False in production
# MEDIUM: Weak password hashing
from passlib.hash import md5_crypt # Weak!
pwd_context = CryptContext(schemes=["md5_crypt"])
Regex Patterns for Extractor
r"allow_origins\s*=\s*\[\s*['\"]?\*['\"]?\s*\][^)]*allow_credentials\s*=\s*True"
r"FastAPI\s*\([^)]*debug\s*=\s*True"
r"(?:SECRET_KEY|JWT_SECRET)\s*=\s*['\"][^'\"]{1,30}['\"]"
r"CryptContext\s*\([^)]*md5"
Sources
8. Next.js Security
Impact: HIGH | Effort: HIGH | Languages: JavaScript, TypeScript
Critical: CVE-2025-29927 Middleware Bypass
// CRITICAL: Relying only on middleware for auth
// middleware.ts
export function middleware(request) {
// Auth check here is BYPASSABLE in affected versions!
if (!isAuthenticated(request)) {
return NextResponse.redirect('/login');
}
}
// Attackers can bypass with: x-middleware-subrequest header
Configuration Misconfigurations
// next.config.js
// HIGH: Security headers missing or weak
const nextConfig = {
// Missing headers configuration
};
// HIGH: Experimental features in production
const nextConfig = {
experimental: {
serverActions: true, // Requires careful handling
},
};
// MEDIUM: Powered-by header not removed
const nextConfig = {
poweredByHeader: true, // Should be false
};
Code Patterns
// HIGH: Auth not checked in Server Actions
'use server';
export async function deleteUser(id) {
// No auth check!
await db.users.delete(id);
}
// HIGH: Sensitive data in client components
'use client';
export function Dashboard({ user }) {
// user.password or user.ssn exposed to client
console.log(user.apiKey);
}
// MEDIUM: Environment variables exposed
const API_KEY = process.env.API_KEY; // In client component
Regex Patterns for Extractor
// Middleware-only auth (warning about CVE)
r"export\s+(?:async\s+)?function\s+middleware" // Then check for auth logic
// Missing auth in Server Actions
r"['\"]use server['\"]\s*;[^}]*async\s+function\s+\w+[^}]*db\."
// Exposed secrets in client
r"['\"]use client['\"]\s*;[^}]*process\.env\.\w+(?:KEY|SECRET|TOKEN)"
// Config issues
r"poweredByHeader\s*:\s*true"
Sources
- CVE-2025-29927 Analysis
- Complete Next.js Security Guide 2025
- Next.js Authentication Best Practices 2025
9. Flask Security (Python)
Impact: MEDIUM | Effort: LOW | Languages: Python
Configuration Misconfigurations
# CRITICAL: No secret key or weak secret
app.secret_key = None
app.secret_key = ''
app.secret_key = 'dev'
app.config['SECRET_KEY'] = 'simple'
# HIGH: Session cookie security disabled
app.config['SESSION_COOKIE_SECURE'] = False
app.config['SESSION_COOKIE_HTTPONLY'] = False
app.config['SESSION_COOKIE_SAMESITE'] = None
# HIGH: Debug mode in production
app.debug = True
app.config['DEBUG'] = True
app.run(debug=True)
# MEDIUM: Permanent session lifetime too long
app.config['PERMANENT_SESSION_LIFETIME'] = timedelta(days=365)
Code Patterns
# CRITICAL: CSRF protection disabled
from flask_wtf.csrf import CSRFProtect
# Missing: csrf = CSRFProtect(app)
# Or explicitly disabled
app.config['WTF_CSRF_ENABLED'] = False
# HIGH: SQL injection
db.execute(f"SELECT * FROM users WHERE id = {user_id}")
db.execute("SELECT * FROM users WHERE id = " + request.args.get('id'))
# HIGH: Hardcoded secrets in code
app.secret_key = 'mysupersecretkey'
API_KEY = 'hardcoded-api-key'
# MEDIUM: Unsafe file handling
@app.route('/upload', methods=['POST'])
def upload():
f = request.files['file']
f.save('/uploads/' + f.filename) # Path traversal!
Regex Patterns for Extractor
// Config patterns
r"(?:app\.secret_key|SECRET_KEY)\s*=\s*(?:None|''|['\"][^'\"]{0,20}['\"])"
r"SESSION_COOKIE_SECURE['\"]?\s*[=:]\s*False"
r"SESSION_COOKIE_HTTPONLY['\"]?\s*[=:]\s*False"
r"WTF_CSRF_ENABLED['\"]?\s*[=:]\s*False"
r"app\.(?:debug|run\([^)]*debug)\s*=\s*True"
r"DEBUG['\"]?\s*[=:]\s*True"
// Code patterns
r"db\.execute\s*\([^)]*[f\"][^)]*\{[^}]*request"
r"\.save\s*\([^)]*\+[^)]*filename"
Sources
- Flask Security Documentation
- Flask Security Best Practices 2025
- Miguel Grinberg: Flask Cookie Security
10. NestJS Security (TypeScript)
Impact: MEDIUM | Effort: MEDIUM | Languages: TypeScript
Configuration Misconfigurations
// CRITICAL: CORS allows all with credentials
app.enableCors({
origin: '*',
credentials: true, // Dangerous!
});
app.enableCors({
origin: true, // Reflects any origin
credentials: true,
});
// HIGH: Helmet not used
// Missing: app.use(helmet());
// HIGH: Rate limiting not configured
// Missing: app.useGlobalGuards(new ThrottlerGuard());
// MEDIUM: Validation pipe not global
// Missing: app.useGlobalPipes(new ValidationPipe());
Code Patterns
// HIGH: Guards disabled or skipped
@Public() // Custom decorator bypassing auth
@SkipAuth()
@SetMetadata('isPublic', true)
// HIGH: No auth guard on sensitive routes
@Controller('admin')
export class AdminController {
@Get('users')
// Missing @UseGuards(AuthGuard)
getUsers() { }
}
// HIGH: Raw query with user input
await this.entityManager.query(
`SELECT * FROM users WHERE id = ${userId}`
);
// MEDIUM: Weak JWT configuration
JwtModule.register({
secret: 'weak-secret',
signOptions: { expiresIn: '365d' }, // Too long
});
// MEDIUM: Debug logging
Logger.debug(sensitiveData);
Regex Patterns for Extractor
// CORS issues
r"enableCors\s*\(\s*\{[^}]*origin\s*:\s*(?:['\"]?\*['\"]?|true)[^}]*credentials\s*:\s*true"
// Missing security (heuristic - check for absence)
r"import.*NestFactory" // Then check for helmet, throttler
// Auth bypass
r"@(?:Public|SkipAuth)\(\)"
r"SetMetadata\s*\(\s*['\"]isPublic['\"]"
// SQL injection in TypeORM
r"\.query\s*\(\s*`[^`]*\$\{[^}]*\}`"
r"\.query\s*\([^)]*\+[^)]*\)"
// Weak JWT
r"JwtModule\.register\s*\(\s*\{[^}]*secret\s*:\s*['\"][^'\"]{1,30}['\"]"
Sources
Implementation Strategy
Phase 8.2.1: Spring Boot (Java)
Files: extractors/spring_security.rs
Languages: Java, Yaml, Properties
Priority: HIGH (most enterprise usage)
| Pattern Type | Count | Complexity |
|---|---|---|
| Config (YAML/Properties) | 8 | LOW |
| Java Code | 10 | MEDIUM |
Phase 8.2.2: Django (Python)
Files: extractors/django_security.rs
Languages: Python
Priority: HIGH (already have Python support)
| Pattern Type | Count | Complexity |
|---|---|---|
| settings.py | 12 | LOW |
| Code patterns | 6 | LOW |
Phase 8.2.3: Express.js (JavaScript/TypeScript)
Files: extractors/express_security.rs
Languages: JavaScript, TypeScript
Priority: HIGH (very common)
| Pattern Type | Count | Complexity |
|---|---|---|
| Middleware config | 8 | MEDIUM |
| Cookie settings | 6 | LOW |
Phase 8.2.4: Rails (Ruby)
Files: extractors/rails_security.rs
Languages: Ruby, Yaml
Priority: MEDIUM
| Pattern Type | Count | Complexity |
|---|---|---|
| Config (production.rb) | 6 | LOW |
| Code patterns | 8 | MEDIUM |
Phase 8.2.5: Additional Frameworks
Laravel, ASP.NET, FastAPI, Next.js, Flask, NestJS
These can be implemented incrementally using the patterns documented above.
Summary: Total Patterns
| Framework | Config Patterns | Code Patterns | Total |
|---|---|---|---|
| Spring Boot | 8 | 10 | 18 |
| Django | 12 | 6 | 18 |
| Express.js | 8 | 6 | 14 |
| Rails | 6 | 8 | 14 |
| ASP.NET Core | 5 | 8 | 13 |
| Laravel | 6 | 8 | 14 |
| FastAPI | 4 | 2 | 6 |
| Next.js | 3 | 4 | 7 |
| Flask | 6 | 4 | 10 |
| NestJS | 4 | 6 | 10 |
| Total | 62 | 62 | 124 |
New Languages Required
| Language | Extension | Used By |
|---|---|---|
| Java | .java |
Spring Boot |
| C# | .cs |
ASP.NET Core |
| PHP | .php |
Laravel |
| Properties | .properties |
Spring Boot |
Note: Ruby support may need enhancement for Rails patterns.
Recommended Implementation Order
- Django - Reuse existing Python infrastructure, HIGH value
- Express.js - Reuse existing JS/TS infrastructure, HIGH value
- Spring Boot - Requires Java language support, VERY HIGH enterprise value
- Laravel - Requires PHP language support, HIGH value
- Rails - Requires Ruby language enhancement, MEDIUM value
- FastAPI - Reuse Python, MEDIUM value
- Flask - Reuse Python, MEDIUM value
- NestJS - Reuse TypeScript, MEDIUM value
- Next.js - Reuse TypeScript, MEDIUM value (CVE detection important)
- ASP.NET Core - Requires C# language support, MEDIUM value