# Custom Semgrep Rules fuer Next.js Security

rules:
  # Verhindere dangerouslySetInnerHTML ohne Sanitization
  - id: next-xss-dangerous-html
    patterns:
      - pattern: dangerouslySetInnerHTML={{ __html: $VAR }}
      - pattern-not: dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize($VAR) }}
      - pattern-not: dangerouslySetInnerHTML={{ __html: sanitize($VAR) }}
    message: "XSS Risiko: Verwende DOMPurify.sanitize() bevor du dangerouslySetInnerHTML nutzt"
    severity: ERROR
    languages: [typescript, javascript]

  # Verhindere hardcoded API Keys
  - id: next-hardcoded-api-key
    patterns:
      - pattern-either:
          - pattern: |
              $KEY = "sk-..."
          - pattern: |
              $KEY = "pk_..."
          - pattern: |
              apiKey: "..."
          - pattern: |
              api_key = "..."
    message: "Hardcoded API Key gefunden. Verwende Environment Variables."
    severity: ERROR
    languages: [typescript, javascript]

  # Verhindere ungeschuetzte API Routes
  - id: next-unprotected-api-route
    patterns:
      - pattern: |
          export async function $METHOD(request: NextRequest) {
            ...
            $DB.$OPERATION(...)
            ...
          }
      - pattern-not: |
          export async function $METHOD(request: NextRequest) {
            ...
            auth.getUser()
            ...
          }
      - pattern-not: |
          export async function $METHOD(request: NextRequest) {
            ...
            getSession()
            ...
          }
    message: "API Route ohne Authentication. Fuege Auth-Check hinzu."
    severity: WARNING
    languages: [typescript]
    paths:
      include:
        - "app/api/**"

  # Verhindere Secrets in Client Components
  - id: next-secret-in-client
    patterns:
      - pattern-inside: |
          "use client"
          ...
      - pattern-either:
          - pattern: process.env.SUPABASE_SERVICE_ROLE_KEY
          - pattern: process.env.DATABASE_URL
          - pattern: process.env.$SECRET_KEY
    message: "Server-only Secret in Client Component. Verschiebe in Server Component oder API Route."
    severity: ERROR
    languages: [typescript, javascript]

  # Verhindere eval und new Function
  - id: next-no-eval
    patterns:
      - pattern-either:
          - pattern: eval(...)
          - pattern: new Function(...)
    message: "eval() und new Function() sind Sicherheitsrisiken. Finde eine Alternative."
    severity: ERROR
    languages: [typescript, javascript]

  # Supabase RLS Check
  - id: supabase-rls-bypass
    patterns:
      - pattern: supabaseAdmin.from($TABLE)
      - pattern-not-inside: |
          // RLS bypassed intentionally
          ...
    message: "supabaseAdmin umgeht RLS. Stelle sicher dass dies beabsichtigt ist."
    severity: WARNING
    languages: [typescript, javascript]