Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/piolium/attack-surface/candidates-summary.md
Michael Freno 542172d1e8 android flesh out
2026-06-01 12:58:34 -04:00

16 KiB
Raw Permalink Blame History

Candidate Scan

Generated by piolium at 2026-06-01T14:22:03.009Z

Totals

  • Files scanned: 880
  • Candidate files: 259
  • Candidate matches: 1703
  • Per-file records: disabled (set PIOLIUM_FILE_RECORDS=1 to enable)

Candidate Classes

  • secret-literal: 14 match(es), max score 122. Hardcoded secret-like literal.
  • command-execution: 65 match(es), max score 90. Potential command execution or shell invocation with variable input.
  • dynamic-code-execution: 27 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
  • raw-sql-query: 644 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
  • hidden-control-channel: 165 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
  • open-redirect: 2 match(es), max score 81. Redirect sink that may accept user-controlled URLs.
  • path-traversal-file-access: 688 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
  • webhook-without-obvious-signature: 41 match(es), max score 79. Webhook handler path that should be checked for signature verification.
  • ssrf-capable-request: 26 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
  • unsafe-html-or-template: 17 match(es), max score 71. HTML injection sink or template escape bypass.
  • weak-token-or-crypto: 9 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
  • public-entrypoint: 5 match(es), max score 54. Public route, handler, controller, workflow, or operation entry point.

Top Files

  • honker/tests/test_joblite.py: score 2280, 41 match(es)
  • honker/tests/test_litenotify.py: score 2200, 40 match(es)
  • honker/packages/honker-jvm/src/test/java/dev/honker/HonkerJvmTest.java: score 1980, 36 match(es)
  • honker/packages/honker-bun/src/index.ts: score 1905, 27 match(es)
  • honker/packages/honker-node/test/parity.test.js: score 1815, 33 match(es)
  • honker/tests/test_scheduler.py: score 1815, 33 match(es)
  • honker/tests/test_real_e2e_scenarios.py: score 1810, 32 match(es)
  • honker/tests/test_extension_interop.py: score 1760, 32 match(es)
  • honker/tests/test_stream.py: score 1650, 30 match(es)
  • web/src/server/services/hometitle/county-scrapers/unified-parser.ts: score 1530, 18 match(es)
  • honker/tests/test_tasks.py: score 1485, 27 match(es)
  • web/src/routes/api/stripe/webhook.test.ts: score 1422, 18 match(es)
  • honker/tests/test_task_results.py: score 1375, 25 match(es)
  • honker/tests/test_outbox.py: score 1320, 24 match(es)
  • honker/packages/honker/python/honker/_honker.py: score 1265, 23 match(es)
  • web/src/server/services/darkwatch/shodan.client.ts: score 1265, 23 match(es)
  • web/src/routes/api/stripe/webhook.ts: score 1239, 16 match(es)
  • web/src/middleware.ts: score 1197, 19 match(es)
  • web/src/server/services/darkwatch/shodan.client.test.ts: score 1190, 21 match(es)
  • honker/packages/honker-node/test/basic.js: score 1155, 21 match(es)
  • web/src/server/websocket.ts: score 1155, 21 match(es)
  • honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts: score 1150, 20 match(es)
  • honker/packages/honker-node/api.js: score 1134, 18 match(es)
  • honker/packages/honker-bun/test/parity.test.ts: score 1115, 17 match(es)
  • web/src/server/api/routers/removebrokers.ts: score 1106, 14 match(es)
  • honker/tests/test_multiprocess.py: score 1065, 18 match(es)
  • honker/packages/honker-bun/test/python_interop.test.ts: score 930, 16 match(es)
  • honker/bench/real_bench.py: score 925, 15 match(es)
  • honker/packages/honker-node/test/watcher_backends_e2e.js: score 905, 16 match(es)
  • honker/tests/test_crash_recovery.py: score 905, 16 match(es)
  • honker/packages/honker-bun/test/basic.test.ts: score 880, 16 match(es)
  • web/src/server/websocket.test.ts: score 880, 16 match(es)
  • honker/packages/honker-node/examples/atomic.js: score 825, 15 match(es)
  • web/src/server/api/routers/correlation.test.ts: score 790, 10 match(es)
  • honker/bench/ext_bench.py: score 770, 14 match(es)
  • honker/packages/honker-jvm/src/main/java/dev/honker/Database.java: score 770, 14 match(es)
  • honker/packages/honker-ruby/spec/parity_spec.rb: score 770, 14 match(es)
  • honker/tests/test_phase_mantle.py: score 770, 14 match(es)
  • honker/tests/test_task_expiration.py: score 715, 13 match(es)
  • honker/tests/test_task_locking.py: score 715, 13 match(es)

Highest-Ranked Matches

  • secret-literal (precise, score 122) at web/src/server/api/routers/billing.test.ts:220 - clientSecret: "cs_123_secret",
  • secret-literal (precise, score 106) at web/src/routes/(auth)/login.tsx:30 - if (!password()) errs.password = "Password is required";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/reset-password.tsx:27 - if (!password()) errs.password = "Password is required";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/reset-password.tsx:29 - errs.password = "Password must be at least 8 characters";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/signup.tsx:66 - if (!password()) errs.password = "Password is required";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/signup.tsx:68 - errs.password = "Password must be at least 8 characters";
  • secret-literal (precise, score 98) at web/src/server/services/billing.service.test.ts:140 - client_secret: "cs_123_secret",
  • secret-literal (precise, score 98) at web/src/server/services/billing.service.test.ts:178 - client_secret: "cs_trial_secret",
  • secret-literal (precise, score 98) at web/src/server/services/billing.service.test.ts:216 - client_secret: "cs_upgrade_secret",
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/examples/atomic.ts:21 - db.raw.exec(
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:343 - this.raw.exec("BEGIN IMMEDIATE");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:422 - raw.exec("PRAGMA busy_timeout = 5000;");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:424 - raw.exec(DEFAULT_PRAGMAS);
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:425 - raw.exec("SELECT honker_bootstrap()");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:441 - held.raw.exec("ROLLBACK");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:480 - this.raw.exec("COMMIT");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:489 - this.raw.exec("ROLLBACK");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/test/parity.test.ts:68 - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/test/parity.test.ts:82 - db.raw.exec("CREATE TABLE kv (k TEXT)");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/test/parity.test.ts:94 - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)");
  • command-execution (precise, score 90) at honker/packages/honker-go/python_interop_test.go:24 - cmd := exec.Command(p, "-c", pythonProbeScript)
  • command-execution (precise, score 90) at honker/packages/honker-go/python_interop_test.go:38 - cmd := exec.Command(p, "-c", pythonProbeScript)
  • command-execution (precise, score 90) at honker/packages/honker-go/python_interop_test.go:86 - cmd := exec.Command(python, "-c", script)
  • command-execution (precise, score 90) at honker/packages/honker-go/watcher_backends_queue_test.go:119 - cmd := exec.Command(os.Args[0], "-test.v", "-test.run", "^TestWatcherBackendQueueHelper$")
  • command-execution (precise, score 90) at honker/packages/honker-go/watcher_backends_queue_test.go:194 - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
  • command-execution (precise, score 90) at honker/packages/honker-go/watcher_backends_queue_test.go:226 - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
  • dynamic-code-execution (precise, score 90) at honker/scripts/test_sqlite_versions.py:103 - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
  • dynamic-code-execution (precise, score 90) at ml/spam-classifier/train.py:216 - model.eval()
  • dynamic-code-execution (precise, score 90) at ml/spam-classifier/train.py:216 - model.eval()
  • dynamic-code-execution (precise, score 90) at ml/spam-classifier/train.py:216 - model.eval()
  • dynamic-code-execution (precise, score 90) at ml/spam-classifier/train.py:280 - model.eval()
  • dynamic-code-execution (precise, score 90) at ml/spam-classifier/train.py:280 - model.eval()
  • dynamic-code-execution (precise, score 90) at ml/spam-classifier/train.py:280 - model.eval()
  • secret-literal (precise, score 90) at web/src/server/services/darkwatch/hibp.client.test.ts:65 - const apiKey = "test-api-key";
  • secret-literal (precise, score 90) at web/src/server/services/darkwatch/shodan.client.test.ts:13 - const apiKey = "test-shodan-key";
  • secret-literal (precise, score 90) at web/src/server/services/hometitle/attom.client.test.ts:170 - const apiKey = "test-attom-api-key";
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:101 - while ((tableMatch = tableRegex.exec(html)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:127 - while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:153 - while ((match = cellRegex.exec(headerRowHtml)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:160 - while ((match = tdRegex.exec(headerRowHtml)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:199 - while ((match = cellRegex.exec(rowHtml)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:294 - while ((match = labelSpanPattern.exec(html)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:302 - while ((match = thTdPattern.exec(html)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:310 - while ((match = divFieldPattern.exec(html)) !== null) {
  • dynamic-code-execution (precise, score 90) at web/src/server/services/hometitle/county-scrapers/unified-parser.ts:318 - while ((match = plainLabelPattern.exec(html)) !== null) {
  • secret-literal (precise, score 90) at web/src/server/services/notification.service.test.ts:220 - token: "existing-token",
  • secret-literal (precise, score 90) at web/src/server/services/notification.service.test.ts:256 - token: "other-user-token",
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:40 - stats: adminProcedure.query(async ({ ctx }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:58 - blogList: adminProcedure.query(async ({ ctx }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:64 - .query(async ({ ctx, input }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:137 - userList: adminProcedure.query(async ({ ctx }) => {
  • hidden-control-channel (normal, score 87) at web/src/server/api/routers/billing.test.ts:95 - const isAuthed = t.middleware(({ ctx, next }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.test.ts:102 - .query(async () => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.test.ts:168 - .query(async ({ ctx, input }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.ts:43 - getSubscription: protectedProcedure.query(async ({ ctx }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.ts:304 - .query(async ({ ctx, input }) => {
  • open-redirect (normal, score 81) at web/src/routes/(admin)/blog/index.tsx:32 - if (redirect()) return ;
  • command-execution (precise, score 80) at honker/bench/real_bench.py:180 - def spawn(script: str) -> subprocess.Popen:
  • command-execution (precise, score 80) at honker/bench/real_bench.py:181 - return subprocess.Popen(
  • command-execution (precise, score 80) at honker/bench/real_bench.py:212 - spawn(
  • command-execution (precise, score 80) at honker/bench/real_bench.py:224 - spawn(enqueuer_script(db_path, queue_name, rate_per_enqueuer))
  • command-execution (precise, score 80) at honker/bench/wake_latency_bench.py:83 - proc = subprocess.Popen(
  • command-execution (precise, score 80) at honker/packages/honker-bun/examples/atomic.ts:21 - db.raw.exec(
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:343 - this.raw.exec("BEGIN IMMEDIATE");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:422 - raw.exec("PRAGMA busy_timeout = 5000;");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:424 - raw.exec(DEFAULT_PRAGMAS);
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:425 - raw.exec("SELECT honker_bootstrap()");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:441 - held.raw.exec("ROLLBACK");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:480 - this.raw.exec("COMMIT");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:489 - this.raw.exec("ROLLBACK");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/parity.test.ts:68 - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/parity.test.ts:82 - db.raw.exec("CREATE TABLE kv (k TEXT)");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/parity.test.ts:94 - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/python_interop.test.ts:38 - const probe = spawnSync(python, ["-c", probeScript], {
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/python_interop.test.ts:61 - const out = spawnSync(python, ["-c", script], {
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:116 - const proc = spawn(process.execPath, ["-e", workerScript(dbPath, extPath, workerId, backend)], {
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:152 - const res = spawnSync(process.execPath, ["-e", script], {
  • command-execution (precise, score 80) at honker/packages/honker-node/index.js:56 - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
  • command-execution (precise, score 80) at honker/packages/honker-node/native.js:56 - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
  • command-execution (precise, score 80) at honker/packages/honker-node/test/cross_lang_shared.js:28 - return spawn(PYTHON, ['-c', script], { stdio });

Custom Matchers

Project matchers can be added at piolium/matchers.json, piolium/custom-matchers.json, or .piolium-matchers.json.

Reference in New Issue View Git Blame Copy Permalink