Mike/Kordant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c159f07322ca350fce297b6c64bb065de969b4bc
Kordant/piolium/attack-surface/candidates-summary.md
Michael Freno 3b29de3234 security sweep
2026-05-29 09:03:47 -04:00

15 KiB
Raw Blame History

Candidate Scan

Generated by piolium at 2026-05-28T13:00:30.318Z

Totals

  • Files scanned: 730
  • Candidate files: 218
  • Candidate matches: 1412
  • Per-file records: disabled (set PIOLIUM_FILE_RECORDS=1 to enable)

Candidate Classes

  • secret-literal: 9 match(es), max score 122. Hardcoded secret-like literal.
  • command-execution: 55 match(es), max score 90. Potential command execution or shell invocation with variable input.
  • dynamic-code-execution: 12 match(es), max score 90. Dynamic code execution, expression evaluation, or runtime compilation.
  • raw-sql-query: 611 match(es), max score 87. Raw SQL construction or query execution that may need parameterization review.
  • hidden-control-channel: 42 match(es), max score 87. Request header or framework/proxy context read that may influence auth, routing, tenant, runtime, debug, or middleware behavior.
  • open-redirect: 2 match(es), max score 81. Redirect sink that may accept user-controlled URLs.
  • path-traversal-file-access: 638 match(es), max score 79. Filesystem access using path joins or user-controllable paths.
  • webhook-without-obvious-signature: 6 match(es), max score 79. Webhook handler path that should be checked for signature verification.
  • unsafe-html-or-template: 17 match(es), max score 71. HTML injection sink or template escape bypass.
  • ssrf-capable-request: 10 match(es), max score 71. Outbound HTTP request site that may be attacker-controlled.
  • weak-token-or-crypto: 5 match(es), max score 63. Token, JWT, randomness, or crypto usage that deserves review.
  • public-entrypoint: 5 match(es), max score 54. Public route, handler, controller, workflow, or operation entry point.

Top Files

  • honker/tests/test_joblite.py: score 2280, 41 match(es)
  • honker/tests/test_litenotify.py: score 2200, 40 match(es)
  • honker/packages/honker-jvm/src/test/java/dev/honker/HonkerJvmTest.java: score 1980, 36 match(es)
  • honker/packages/honker-bun/src/index.ts: score 1905, 27 match(es)
  • honker/packages/honker-node/test/parity.test.js: score 1815, 33 match(es)
  • honker/tests/test_scheduler.py: score 1815, 33 match(es)
  • honker/tests/test_real_e2e_scenarios.py: score 1810, 32 match(es)
  • honker/tests/test_extension_interop.py: score 1760, 32 match(es)
  • honker/tests/test_stream.py: score 1650, 30 match(es)
  • honker/tests/test_tasks.py: score 1485, 27 match(es)
  • honker/tests/test_task_results.py: score 1375, 25 match(es)
  • honker/tests/test_outbox.py: score 1320, 24 match(es)
  • honker/packages/honker/python/honker/_honker.py: score 1265, 23 match(es)
  • honker/packages/honker-node/test/basic.js: score 1155, 21 match(es)
  • honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts: score 1150, 20 match(es)
  • honker/packages/honker-node/api.js: score 1134, 18 match(es)
  • honker/packages/honker-bun/test/parity.test.ts: score 1115, 17 match(es)
  • honker/tests/test_multiprocess.py: score 1065, 18 match(es)
  • honker/packages/honker-bun/test/python_interop.test.ts: score 930, 16 match(es)
  • honker/bench/real_bench.py: score 925, 15 match(es)
  • honker/packages/honker-node/test/watcher_backends_e2e.js: score 905, 16 match(es)
  • honker/tests/test_crash_recovery.py: score 905, 16 match(es)
  • honker/packages/honker-bun/test/basic.test.ts: score 880, 16 match(es)
  • honker/packages/honker-node/examples/atomic.js: score 825, 15 match(es)
  • honker/bench/ext_bench.py: score 770, 14 match(es)
  • honker/packages/honker-jvm/src/main/java/dev/honker/Database.java: score 770, 14 match(es)
  • honker/packages/honker-ruby/spec/parity_spec.rb: score 770, 14 match(es)
  • honker/tests/test_phase_mantle.py: score 770, 14 match(es)
  • honker/tests/test_task_expiration.py: score 715, 13 match(es)
  • honker/tests/test_task_locking.py: score 715, 13 match(es)
  • honker/tests/test_worker_task_options.py: score 715, 13 match(es)
  • honker/packages/honker-node/test/watcher_backends_queue_e2e.js: score 710, 12 match(es)
  • honker/packages/honker-jvm/src/main/java/dev/honker/Queue.java: score 660, 12 match(es)
  • honker/packages/honker-node/test/cross_lang_python_to_node.js: score 660, 12 match(es)
  • honker/packages/honker-ruby/lib/honker.rb: score 660, 12 match(es)
  • honker/packages/honker-ruby/spec/honker_spec.rb: score 655, 11 match(es)
  • honker/tests/test_time_triggers_e2e.py: score 630, 11 match(es)
  • web/src/middleware.ts: score 630, 10 match(es)
  • web/src/routes/api/stripe/webhook.ts: score 607, 8 match(es)
  • honker/packages/honker/python/honker/_scheduler.py: score 605, 11 match(es)

Highest-Ranked Matches

  • secret-literal (precise, score 122) at web/src/server/api/routers/billing.test.ts:164 - clientSecret: "cs_123_secret",
  • secret-literal (precise, score 106) at web/src/routes/(auth)/login.tsx:30 - if (!password()) errs.password = "Password is required";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/reset-password.tsx:27 - if (!password()) errs.password = "Password is required";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/reset-password.tsx:29 - errs.password = "Password must be at least 8 characters";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/signup.tsx:66 - if (!password()) errs.password = "Password is required";
  • secret-literal (precise, score 106) at web/src/routes/(auth)/signup.tsx:68 - errs.password = "Password must be at least 8 characters";
  • secret-literal (precise, score 98) at web/src/server/services/billing.service.test.ts:116 - client_secret: "cs_123_secret",
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/examples/atomic.ts:21 - db.raw.exec(
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:343 - this.raw.exec("BEGIN IMMEDIATE");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:422 - raw.exec("PRAGMA busy_timeout = 5000;");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:424 - raw.exec(DEFAULT_PRAGMAS);
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:425 - raw.exec("SELECT honker_bootstrap()");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:441 - held.raw.exec("ROLLBACK");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:480 - this.raw.exec("COMMIT");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/src/index.ts:489 - this.raw.exec("ROLLBACK");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/test/parity.test.ts:68 - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/test/parity.test.ts:82 - db.raw.exec("CREATE TABLE kv (k TEXT)");
  • dynamic-code-execution (precise, score 90) at honker/packages/honker-bun/test/parity.test.ts:94 - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)");
  • command-execution (precise, score 90) at honker/packages/honker-go/python_interop_test.go:24 - cmd := exec.Command(p, "-c", pythonProbeScript)
  • command-execution (precise, score 90) at honker/packages/honker-go/python_interop_test.go:38 - cmd := exec.Command(p, "-c", pythonProbeScript)
  • command-execution (precise, score 90) at honker/packages/honker-go/python_interop_test.go:86 - cmd := exec.Command(python, "-c", script)
  • command-execution (precise, score 90) at honker/packages/honker-go/watcher_backends_queue_test.go:119 - cmd := exec.Command(os.Args[0], "-test.v", "-test.run", "^TestWatcherBackendQueueHelper$")
  • command-execution (precise, score 90) at honker/packages/honker-go/watcher_backends_queue_test.go:194 - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
  • command-execution (precise, score 90) at honker/packages/honker-go/watcher_backends_queue_test.go:226 - cmd := exec.Command(os.Args[0], "-test.run", "^TestWatcherBackendQueueHelper$")
  • dynamic-code-execution (precise, score 90) at honker/scripts/test_sqlite_versions.py:103 - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
  • secret-literal (precise, score 90) at web/src/server/services/notification.service.test.ts:220 - token: "existing-token",
  • secret-literal (precise, score 90) at web/src/server/services/notification.service.test.ts:256 - token: "other-user-token",
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:40 - stats: adminProcedure.query(async ({ ctx }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:58 - blogList: adminProcedure.query(async ({ ctx }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:64 - .query(async ({ ctx, input }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/admin.ts:137 - userList: adminProcedure.query(async ({ ctx }) => {
  • hidden-control-channel (normal, score 87) at web/src/server/api/routers/billing.test.ts:73 - const isAuthed = t.middleware(({ ctx, next }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.test.ts:80 - .query(async () => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.test.ts:113 - .query(async ({ ctx, input }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.ts:33 - getSubscription: protectedProcedure.query(async ({ ctx }) => {
  • raw-sql-query (normal, score 87) at web/src/server/api/routers/billing.ts:155 - .query(async ({ ctx, input }) => {
  • open-redirect (normal, score 81) at web/src/routes/(admin)/blog/index.tsx:32 - if (redirect()) return ;
  • command-execution (precise, score 80) at honker/bench/real_bench.py:180 - def spawn(script: str) -> subprocess.Popen:
  • command-execution (precise, score 80) at honker/bench/real_bench.py:181 - return subprocess.Popen(
  • command-execution (precise, score 80) at honker/bench/real_bench.py:212 - spawn(
  • command-execution (precise, score 80) at honker/bench/real_bench.py:224 - spawn(enqueuer_script(db_path, queue_name, rate_per_enqueuer))
  • command-execution (precise, score 80) at honker/bench/wake_latency_bench.py:83 - proc = subprocess.Popen(
  • command-execution (precise, score 80) at honker/packages/honker-bun/examples/atomic.ts:21 - db.raw.exec(
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:343 - this.raw.exec("BEGIN IMMEDIATE");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:422 - raw.exec("PRAGMA busy_timeout = 5000;");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:424 - raw.exec(DEFAULT_PRAGMAS);
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:425 - raw.exec("SELECT honker_bootstrap()");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:441 - held.raw.exec("ROLLBACK");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:480 - this.raw.exec("COMMIT");
  • command-execution (precise, score 80) at honker/packages/honker-bun/src/index.ts:489 - this.raw.exec("ROLLBACK");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/parity.test.ts:68 - db.raw.exec("CREATE TABLE kv (k TEXT PRIMARY KEY, v TEXT)");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/parity.test.ts:82 - db.raw.exec("CREATE TABLE kv (k TEXT)");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/parity.test.ts:94 - db.raw.exec("CREATE TABLE orders (id INTEGER PRIMARY KEY, amount INTEGER)");
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/python_interop.test.ts:38 - const probe = spawnSync(python, ["-c", probeScript], {
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/python_interop.test.ts:61 - const out = spawnSync(python, ["-c", script], {
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:116 - const proc = spawn(process.execPath, ["-e", workerScript(dbPath, extPath, workerId, backend)], {
  • command-execution (precise, score 80) at honker/packages/honker-bun/test/watcher_backends_queue_e2e.test.ts:152 - const res = spawnSync(process.execPath, ["-e", script], {
  • command-execution (precise, score 80) at honker/packages/honker-node/index.js:56 - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
  • command-execution (precise, score 80) at honker/packages/honker-node/native.js:56 - return require('child_process').execSync('ldd --version', { encoding: 'utf8' }).includes('musl')
  • command-execution (precise, score 80) at honker/packages/honker-node/test/cross_lang_shared.js:28 - return spawn(PYTHON, ['-c', script], { stdio });
  • command-execution (precise, score 80) at honker/packages/honker-node/test/watcher_backends_e2e.js:29 - return spawn(process.execPath, ['-e', script], {
  • command-execution (precise, score 80) at honker/packages/honker-node/test/watcher_backends_queue_e2e.js:38 - return spawn(process.execPath, ['-e', script], {
  • command-execution (precise, score 80) at honker/packages/honker-node/test/watcher_backends_queue_e2e.js:155 - const res = spawnSync(process.execPath, ['-e', script], {
  • command-execution (precise, score 80) at honker/packages/honker-ruby/ext/honker/extconf.rb:24 - cargo_found = system("cargo", "--version", out: File::NULL, err: File::NULL)
  • command-execution (precise, score 80) at honker/packages/honker-ruby/ext/honker/extconf.rb:48 - system(
  • command-execution (precise, score 80) at honker/packages/honker-ruby/spec/honker_spec.rb:176 - pid = Process.spawn(
  • command-execution (precise, score 80) at honker/packages/honker-ruby/spec/honker_spec.rb:191 - Process.spawn(
  • command-execution (precise, score 80) at honker/packages/honker-ruby/spec/railtie_spec.rb:36 - out = IO.popen([RbConfig.ruby, "-e", script], &:read)
  • command-execution (precise, score 80) at honker/scripts/test_sqlite_versions.py:44 - out = subprocess.check_output(["otool", "-L", mod_path], text=True)
  • command-execution (precise, score 80) at honker/scripts/test_sqlite_versions.py:103 - assert rc == SQLITE_OK, f"exec({sql!r}) failed: {rc}"
  • command-execution (precise, score 80) at honker/tests/test_crash_recovery.py:54 - return subprocess.Popen(
  • command-execution (precise, score 80) at honker/tests/test_cross_process_wake_latency.py:72 - proc = subprocess.Popen(
  • command-execution (precise, score 80) at honker/tests/test_fault_injection.py:112 - subprocess.run(
  • command-execution (precise, score 80) at honker/tests/test_fault_injection.py:143 - subprocess.run(["umount", str(mount_dir)], check=False)
  • command-execution (precise, score 80) at honker/tests/test_joblite.py:79 - return subprocess.Popen(
  • command-execution (precise, score 80) at honker/tests/test_multiprocess.py:63 - return subprocess.run(
  • command-execution (precise, score 80) at honker/tests/test_multiprocess.py:219 - return subprocess.run(
  • command-execution (precise, score 80) at honker/tests/test_multiprocess.py:277 - return subprocess.run(
  • command-execution (precise, score 80) at honker/tests/test_real_e2e_scenarios.py:270 - return subprocess.Popen(
  • command-execution (precise, score 80) at honker/tests/test_real_e2e_scenarios.py:279 - return subprocess.run(

Custom Matchers

Project matchers can be added at piolium/matchers.json, piolium/custom-matchers.json, or .piolium-matchers.json.

Reference in New Issue View Git Blame Copy Permalink