azaion/ui
1
0
Fork 0
mirror of https://github.com/azaion/ui.git synced 2026-06-21 22:31:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
098a55646030a2522c0575d441e47478f8fb7959
ui/scripts/check-banned-deps.mjs
T
Oleksandr Bezdieniezhnykh f7dd6c98d8
ci/woodpecker/push/build-arm Pipeline failed
Details
[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes 
Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 05:31:11 +03:00

221 lines
7.0 KiB
JavaScript
Executable File
Raw Blame History

#!/usr/bin/env node
// AZ-482 — static deny-list enforcement driven by tests/security/banned-deps.json.
//
// One canonical implementation that the run-tests.sh static profile delegates to,
// so adding or removing a banned dependency / pattern is a one-file change visible
// in code review (per AZ-482 constraint).
//
// Usage:
// node scripts/check-banned-deps.mjs --kind=<key> [--root=<repo-root>]
//
// Exit code 0 on PASS (no hits); non-zero on FAIL (writes the hit list to stderr).
import { readFileSync, statSync, readdirSync } from 'node:fs'
import { join, dirname, resolve, relative } from 'node:path'
import { fileURLToPath } from 'node:url'
const __filename = fileURLToPath(import.meta.url)
const __dirname = dirname(__filename)
function parseArgs(argv) {
const out = { kind: null, root: resolve(__dirname, '..') }
for (const a of argv.slice(2)) {
if (a.startsWith('--kind=')) out.kind = a.slice('--kind='.length)
else if (a.startsWith('--root=')) out.root = resolve(a.slice('--root='.length))
else if (a === '-h' || a === '--help') {
// eslint-disable-next-line no-console
console.error('Usage: check-banned-deps.mjs --kind=<key> [--root=<repo-root>]')
process.exit(0)
}
}
if (!out.kind) {
process.stderr.write('check-banned-deps: --kind is required\n')
process.exit(2)
}
return out
}
function loadDenylist(root) {
const path = join(root, 'tests', 'security', 'banned-deps.json')
return JSON.parse(readFileSync(path, 'utf8'))
}
function loadPackageJson(root) {
return JSON.parse(readFileSync(join(root, 'package.json'), 'utf8'))
}
function namesFromPackageJson(pkg) {
return Object.keys({ ...(pkg.dependencies || {}), ...(pkg.devDependencies || {}) })
}
function checkPackageJson(section, root) {
const pkg = loadPackageJson(root)
const names = namesFromPackageJson(pkg)
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
const hits = []
for (const name of names) {
for (const re of regexes) {
if (re.test(name)) {
hits.push(`${name} matched /${re.source}/i`)
break
}
}
}
return hits
}
// File walker — yields paths under `dir` that match the included extensions.
// Skips dist/, node_modules/, test-output/, and any `*.test.{ts,tsx}` /
// `*.spec.{ts,tsx}` files (production source only, mirrors run-tests.sh src_grep).
const IGNORED_DIRS = new Set([
'node_modules', 'dist', 'build', 'test-output', 'test-results',
'coverage', '.git', '.cache', 'playwright-report', 'blob-report',
])
const SOURCE_EXT = ['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']
const TEST_NAME_RE = /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i
function* walkSourceFiles(rootDir) {
let entries
try {
entries = readdirSync(rootDir, { withFileTypes: true })
} catch {
return
}
for (const entry of entries) {
const full = join(rootDir, entry.name)
if (entry.isDirectory()) {
if (IGNORED_DIRS.has(entry.name)) continue
yield* walkSourceFiles(full)
} else if (entry.isFile()) {
const ext = '.' + entry.name.split('.').pop()
if (!SOURCE_EXT.includes(ext)) continue
if (TEST_NAME_RE.test(entry.name)) continue
yield full
}
}
}
function checkSourceTree(section, root, subdirs) {
const regexes = section.patterns.map((p) => new RegExp(p, 'i'))
const allowlist = new Set((section.allowlist ?? []).map((p) => p.replaceAll('\\', '/')))
const hits = []
for (const sub of subdirs) {
const full = join(root, sub)
try { statSync(full) } catch { continue }
for (const file of walkSourceFiles(full)) {
const relPath = relative(root, file).replaceAll('\\', '/')
if (allowlist.has(relPath)) continue
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
const lines = text.split('\n')
lines.forEach((line, idx) => {
for (const re of regexes) {
if (re.test(line)) {
hits.push(`${relPath}:${idx + 1}: ${line.trim().slice(0, 200)} (matched /${re.source}/i)`)
break
}
}
})
}
}
return hits
}
function checkDestructiveSurfaces(section, root, subdirs) {
const regexes = section.patterns.map((p) => new RegExp(p))
const gated = new Set((section.gated ?? []).map((p) => p.replaceAll('\\', '/')))
const drift = new Set((section.drift ?? []).map((p) => p.replaceAll('\\', '/')))
const known = new Set([...gated, ...drift])
const hits = []
for (const sub of subdirs) {
const full = join(root, sub)
try { statSync(full) } catch { continue }
for (const file of walkSourceFiles(full)) {
const relPath = relative(root, file).replaceAll('\\', '/')
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
const matches = regexes.some((re) => re.test(text))
if (!matches) continue
if (known.has(relPath)) continue
hits.push(
`${relPath}: contains destructive call but is not in gated/drift allowlist; ` +
`add to tests/security/banned-deps.json (destructive_surfaces) with a code-review note`,
)
}
}
return hits
}
function* walkAnyFiles(rootDir) {
let entries
try {
entries = readdirSync(rootDir, { withFileTypes: true })
} catch {
return
}
for (const entry of entries) {
const full = join(rootDir, entry.name)
if (entry.isDirectory()) {
if (IGNORED_DIRS.has(entry.name)) continue
yield* walkAnyFiles(full)
} else if (entry.isFile()) {
yield full
}
}
}
function checkDistTree(section, root) {
const dist = join(root, 'dist')
try { statSync(dist) } catch {
process.stderr.write('dist/ missing — run `bun run build` before this check\n')
process.exit(1)
}
const hits = []
for (const file of walkAnyFiles(dist)) {
let text
try { text = readFileSync(file, 'utf8') } catch { continue }
for (const literal of section.patterns) {
if (text.includes(literal)) {
hits.push(`${relative(root, file)} contains banned literal: ${literal}`)
}
}
}
return hits
}
function main() {
const { kind, root } = parseArgs(process.argv)
const denylist = loadDenylist(root)
const section = denylist[kind]
if (!section) {
process.stderr.write(`unknown --kind=${kind}; available: ${Object.keys(denylist).filter((k) => !k.startsWith('$')).join(', ')}\n`)
process.exit(2)
}
let hits = []
if (kind === 'owm_key_in_dist') {
hits = checkDistTree(section, root)
} else if (
kind === 'legacy_integrations' ||
kind === 'concurrent_edit_patterns' ||
kind === 'alert_calls' ||
kind === 'owm_key_in_source' ||
kind === 'google_key_in_source'
) {
hits = checkSourceTree(section, root, ['src', 'mission-planner'])
} else if (kind === 'destructive_surfaces') {
hits = checkDestructiveSurfaces(section, root, ['src'])
} else {
hits = checkPackageJson(section, root)
}
if (hits.length) {
process.stderr.write(`banned (${kind} / ${section.ac}):\n`)
for (const h of hits) process.stderr.write(` ${h}\n`)
process.exit(1)
}
process.exit(0)
}
main()
Reference in New Issue View Git Blame Copy Permalink