Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
Kordant/piolium/attack-surface/candidates-summary.md
Michael Freno 542172d1e8 android flesh out
2026-06-01 12:58:34 -04:00

156 lines
16 KiB
Markdown
Raw Permalink Blame History

# Candidate Scan
Generated by piolium at 2026-06-01T14:22:03.009Z
## Totals
- Files scanned: 880
- Candidate files: 259
- Candidate matches: 1703
- Per-file records: disabled (set PIOLIUM_FILE_RECORDS=1 to enable)
## Candidate Classes
- secret-literal: 14 match(es), max score 122. Hardcoded secret-like literal.
- command-execution: 65 match(es), max score 90. Potential command execution or shell invocation with variable input.
- dynamic-code-execution: 27 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
- raw-sql-query: 644 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
- hidden-control-channel: 165 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
- open-redirect: 2 match(es), max score 81. Redirect sink that may accept user-controlled URLs.
- path-traversal-file-access: 688 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
- webhook-without-obvious-signature: 41 match(es), max score 79. Webhook handler path that should be checked for signature verification.
- ssrf-capable-request: 26 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
- unsafe-html-or-template: 17 match(es), max score 71. HTML injection sink or template escape bypass.
- weak-token-or-crypto: 9 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
- public-entrypoint: 5 match(es), max score 54. Public route, handler, controller, workflow, or operation entry point.
## Top Files
- `honker/tests/test_joblite.py`: score 2280, 41 match(es)
- `honker/tests/test_litenotify.py`: score 2200, 40 match(es)
- `honker/packages/honker-jvm/src/test/java/dev/honker/HonkerJvmTest.java`: score 1980, 36 match(es)
- `honker/packages/honker-bun/src/index.ts`: score 1905, 27 match(es)
- `honker/packages/honker-node/test/parity.test.js`: score 1815, 33 match(es)
- `honker/tests/test_scheduler.py`: score 1815, 33 match(es)
- `honker/tests/test_real_e2e_scenarios.py`: score 1810, 32 match(es)
- `honker/tests/test_extension_interop.py`: score 1760, 32 match(es)
- `honker/tests/test_stream.py`: score 1650, 30 match(es)
- `web/src/server/services/hometitle/county-scrapers/unified-parser.ts`: score 1530, 18 match(es)
- `honker/tests/test_tasks.py`: score 1485, 27 match(es)
- `web/src/routes/api/stripe/webhook.test.ts`: score 1422, 18 match(es)
- `honker/tests/test_task_results.py`: score 1375, 25 match(es)
- `honker/tests/test_outbox.py`: score 1320, 24 match(es)
- `honker/packages/honker/python/honker/_honker.py`: score 1265, 23 match(es)
- `web/src/server/services/darkwatch/shodan.client.ts`: score 1265, 23 match(es)
- `web/src/routes/api/stripe/webhook.ts`: score 1239, 16 match(es)
- `web/src/middleware.ts`: score 1197, 19 match(es)
- `web/src/server/services/darkwatch/shodan.client.test.ts`: score 1190, 21 match(es)
- `honker/packages/honker-node/test/basic.js`: score 1155, 21 match(es)
- `web/src/server/websocket.ts`: score 1155, 21 match(es)
- `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts`: score 1150, 20 match(es)
- `honker/packages/honker-node/api.js`: score 1134, 18 match(es)
- `honker/packages/honker-bun/test/parity.test.ts`: score 1115, 17 match(es)
- `web/src/server/api/routers/removebrokers.ts`: score 1106, 14 match(es)
- `honker/tests/test_multiprocess.py`: score 1065, 18 match(es)
- `honker/packages/honker-bun/test/python_interop.test.ts`: score 930, 16 match(es)
- `honker/bench/real_bench.py`: score 925, 15 match(es)
- `honker/packages/honker-node/test/watcher_backends_e2e.js`: score 905, 16 match(es)
- `honker/tests/test_crash_recovery.py`: score 905, 16 match(es)
- `honker/packages/honker-bun/test/basic.test.ts`: score 880, 16 match(es)
- `web/src/server/websocket.test.ts`: score 880, 16 match(es)
- `honker/packages/honker-node/examples/atomic.js`: score 825, 15 match(es)
- `web/src/server/api/routers/correlation.test.ts`: score 790, 10 match(es)
- `honker/bench/ext_bench.py`: score 770, 14 match(es)
- `honker/packages/honker-jvm/src/main/java/dev/honker/Database.java`: score 770, 14 match(es)
- `honker/packages/honker-ruby/spec/parity_spec.rb`: score 770, 14 match(es)
- `honker/tests/test_phase_mantle.py`: score 770, 14 match(es)
- `honker/tests/test_task_expiration.py`: score 715, 13 match(es)
- `honker/tests/test_task_locking.py`: score 715, 13 match(es)
## Highest-Ranked Matches
- secret-literal (precise, score 122) at `web/src/server/api/routers/billing.test.ts:220` - clientSecret: "cs_123_secret",
- secret-literal (precise, score 106) at `web/src/routes/(auth)/login.tsx:30` - if (!password()) errs.password = "Password is required";
- secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:27` - if (!password()) errs.password = "Password is required";
- secret-literal (precise, score 106) at `web/src/routes/(auth)/reset-password.tsx:29` - errs.password = "Password must be at least 8 characters";
- secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:66` - if (!password()) errs.password = "Password is required";
- secret-literal (precise, score 106) at `web/src/routes/(auth)/signup.tsx:68` - errs.password = "Password must be at least 8 characters";
- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:140` - client_secret: "cs_123_secret",
- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:178` - client_secret: "cs_trial_secret",
- secret-literal (precise, score 98) at `web/src/server/services/billing.service.test.ts:216` - client_secret: "cs_upgrade_secret",
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/examples/atomic.ts:21` - db.raw.exec(
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:343` - this.raw.exec("BEGIN IMMEDIATE");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:422` - raw.exec("PRAGMA busy_timeout = 5000;");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:424` - raw.exec(DEFAULT_PRAGMAS);
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:425` - raw.exec("SELECT honker_bootstrap()");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:441` - held.raw.exec("ROLLBACK");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:480` - this.raw.exec("COMMIT");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/src/index.ts:489` - this.raw.exec("ROLLBACK");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/test/parity.test.ts:68` - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/test/parity.test.ts:82` - db.raw.exec("CREATE TABLE kv (k TEXT)");
- dynamic-code-execution (precise, score 90) at `honker/packages/honker-bun/test/parity.test.ts:94` - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)");
- command-execution (precise, score 90) at `honker/packages/honker-go/python_interop_test.go:24` - cmd := exec.Command(p, "-c", pythonProbeScript)
- command-execution (precise, score 90) at `honker/packages/honker-go/python_interop_test.go:38` - cmd := exec.Command(p, "-c", pythonProbeScript)
- command-execution (precise, score 90) at `honker/packages/honker-go/python_interop_test.go:86` - cmd := exec.Command(python, "-c", script)
- command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:119` - cmd := exec.Command(os.Args[0], "-test.v", "-test.run", "^TestWatcherBackendQueueHelper$")
- command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:194` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
- command-execution (precise, score 90) at `honker/packages/honker-go/watcher_backends_queue_test.go:226` - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
- dynamic-code-execution (precise, score 90) at `honker/scripts/test_sqlite_versions.py:103` - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:216` - model.eval()
- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
- dynamic-code-execution (precise, score 90) at `ml/spam-classifier/train.py:280` - model.eval()
- secret-literal (precise, score 90) at `web/src/server/services/darkwatch/hibp.client.test.ts:65` - const apiKey = "test-api-key";
- secret-literal (precise, score 90) at `web/src/server/services/darkwatch/shodan.client.test.ts:13` - const apiKey = "test-shodan-key";
- secret-literal (precise, score 90) at `web/src/server/services/hometitle/attom.client.test.ts:170` - const apiKey = "test-attom-api-key";
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:101` - while ((tableMatch = tableRegex.exec(html)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:127` - while ((rowMatch = rowRegex.exec(tableHtml)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:153` - while ((match = cellRegex.exec(headerRowHtml)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:160` - while ((match = tdRegex.exec(headerRowHtml)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:199` - while ((match = cellRegex.exec(rowHtml)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:294` - while ((match = labelSpanPattern.exec(html)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:302` - while ((match = thTdPattern.exec(html)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:310` - while ((match = divFieldPattern.exec(html)) !== null) {
- dynamic-code-execution (precise, score 90) at `web/src/server/services/hometitle/county-scrapers/unified-parser.ts:318` - while ((match = plainLabelPattern.exec(html)) !== null) {
- secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:220` - token: "existing-token",
- secret-literal (precise, score 90) at `web/src/server/services/notification.service.test.ts:256` - token: "other-user-token",
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:40` - stats: adminProcedure.query(async ({ ctx }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:58` - blogList: adminProcedure.query(async ({ ctx }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:64` - .query(async ({ ctx, input }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/admin.ts:137` - userList: adminProcedure.query(async ({ ctx }) => {
- hidden-control-channel (normal, score 87) at `web/src/server/api/routers/billing.test.ts:95` - const isAuthed = t.middleware(({ ctx, next }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:102` - .query(async () => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.test.ts:168` - .query(async ({ ctx, input }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:43` - getSubscription: protectedProcedure.query(async ({ ctx }) => {
- raw-sql-query (normal, score 87) at `web/src/server/api/routers/billing.ts:304` - .query(async ({ ctx, input }) => {
- open-redirect (normal, score 81) at `web/src/routes/(admin)/blog/index.tsx:32` - if (redirect()) return <Navigate href="/admin/blog/new" />;
- command-execution (precise, score 80) at `honker/bench/real_bench.py:180` - def spawn(script: str) -> subprocess.Popen:
- command-execution (precise, score 80) at `honker/bench/real_bench.py:181` - return subprocess.Popen(
- command-execution (precise, score 80) at `honker/bench/real_bench.py:212` - spawn(
- command-execution (precise, score 80) at `honker/bench/real_bench.py:224` - spawn(enqueuer_script(db_path, queue_name, rate_per_enqueuer))
- command-execution (precise, score 80) at `honker/bench/wake_latency_bench.py:83` - proc = subprocess.Popen(
- command-execution (precise, score 80) at `honker/packages/honker-bun/examples/atomic.ts:21` - db.raw.exec(
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:343` - this.raw.exec("BEGIN IMMEDIATE");
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:422` - raw.exec("PRAGMA busy_timeout = 5000;");
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:424` - raw.exec(DEFAULT_PRAGMAS);
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:425` - raw.exec("SELECT honker_bootstrap()");
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:441` - held.raw.exec("ROLLBACK");
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:480` - this.raw.exec("COMMIT");
- command-execution (precise, score 80) at `honker/packages/honker-bun/src/index.ts:489` - this.raw.exec("ROLLBACK");
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/parity.test.ts:68` - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)");
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/parity.test.ts:82` - db.raw.exec("CREATE TABLE kv (k TEXT)");
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/parity.test.ts:94` - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)");
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/python_interop.test.ts:38` - const probe = spawnSync(python, ["-c", probeScript], {
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/python_interop.test.ts:61` - const out = spawnSync(python, ["-c", script], {
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:116` - const proc = spawn(process.execPath, ["-e", workerScript(dbPath, extPath, workerId, backend)], {
- command-execution (precise, score 80) at `honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:152` - const res = spawnSync(process.execPath, ["-e", script], {
- command-execution (precise, score 80) at `honker/packages/honker-node/index.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
- command-execution (precise, score 80) at `honker/packages/honker-node/native.js:56` - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
- command-execution (precise, score 80) at `honker/packages/honker-node/test/cross_lang_shared.js:28` - return spawn(PYTHON, ['-c', script], { stdio });
## Custom Matchers
Project matchers can be added at `piolium/matchers.json`, `piolium/custom-matchers.json`, or `.piolium-matchers.json`.
Reference in New Issue View Git Blame Copy Permalink