@indicated/vibeguard 1.0.0

package/tests/rules/high.test.ts

@@ -0,0 +1,377 @@
+import { describe, it, expect } from 'vitest';
+import { testRule, getRule } from '../helpers';
+
+describe('High Security Rules', () => {
+  describe('missing-auth-route', () => {
+    const ruleId = 'missing-auth-route';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should have AST matcher configured', () => {
+      const rule = getRule(ruleId);
+      expect(rule?.astMatcher).toBe('missing-auth');
+    });
+  });
+
+  describe('xss-innerhtml', () => {
+    const ruleId = 'xss-innerhtml';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should have AST matcher configured', () => {
+      const rule = getRule(ruleId);
+      expect(rule?.astMatcher).toBe('xss-innerhtml');
+    });
+  });
+
+  describe('secrets-localstorage', () => {
+    const ruleId = 'secrets-localstorage';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect localStorage.setItem with token', () => {
+      expect(testRule(ruleId, `localStorage.setItem('token', jwt)`)).toBe(true);
+    });
+
+    it('should detect localStorage.setItem with auth', () => {
+      expect(testRule(ruleId, `localStorage.setItem('auth', data)`)).toBe(true);
+    });
+
+    it('should detect sessionStorage.setItem with jwt', () => {
+      expect(testRule(ruleId, `sessionStorage.setItem('jwt', token)`)).toBe(true);
+    });
+
+    it('should detect localStorage.setItem with api-key', () => {
+      expect(testRule(ruleId, `localStorage.setItem('api-key', key)`)).toBe(true);
+    });
+
+    it('should NOT detect localStorage for non-sensitive data', () => {
+      expect(testRule(ruleId, `localStorage.setItem('theme', 'dark')`)).toBe(false);
+    });
+
+    it('should NOT detect localStorage for user preferences', () => {
+      expect(testRule(ruleId, `localStorage.setItem('language', 'en')`)).toBe(false);
+    });
+  });
+
+  describe('supabase-no-rls', () => {
+    const ruleId = 'supabase-no-rls';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect .from().select()', () => {
+      expect(testRule(ruleId, `.from('users').select('*')`)).toBe(true);
+    });
+
+    it('should detect .from().insert()', () => {
+      expect(testRule(ruleId, `.from('posts').insert(data)`)).toBe(true);
+    });
+
+    it('should detect .from().update()', () => {
+      expect(testRule(ruleId, `.from('profiles').update({ name })`)).toBe(true);
+    });
+
+    it('should detect .from().delete()', () => {
+      expect(testRule(ruleId, `.from('comments').delete()`)).toBe(true);
+    });
+  });
+
+  describe('firebase-no-rules', () => {
+    const ruleId = 'firebase-no-rules';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect firestore().collection()', () => {
+      expect(testRule(ruleId, `firestore().collection('users')`)).toBe(true);
+    });
+
+    it('should detect firebase.database().ref()', () => {
+      expect(testRule(ruleId, `firebase.database().ref('posts')`)).toBe(true);
+    });
+  });
+
+  describe('idor-vulnerability', () => {
+    const ruleId = 'idor-vulnerability';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should have AST matcher configured', () => {
+      const rule = getRule(ruleId);
+      expect(rule?.astMatcher).toBe('idor');
+    });
+  });
+
+  describe('path-traversal', () => {
+    const ruleId = 'path-traversal';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect readFile with req.params', () => {
+      expect(testRule(ruleId, `readFile(req.params.filename)`)).toBe(true);
+    });
+
+    it('should detect readFileSync with query param', () => {
+      expect(testRule(ruleId, `readFileSync(req.query.path)`)).toBe(true);
+    });
+
+    it('should detect path.join with user input', () => {
+      expect(testRule(ruleId, `path.join(baseDir, req.params.file)`)).toBe(true);
+    });
+
+    it('should detect res.sendFile with params', () => {
+      expect(testRule(ruleId, `res.sendFile(req.params.file)`)).toBe(true);
+    });
+
+    it('should detect Python open with request', () => {
+      expect(testRule(ruleId, `open(request.args.get('file'))`)).toBe(true);
+    });
+
+    it('should NOT detect readFile with static path', () => {
+      expect(testRule(ruleId, `readFile('./config.json')`)).toBe(false);
+    });
+  });
+
+  describe('ssrf-vulnerability', () => {
+    const ruleId = 'ssrf-vulnerability';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect fetch with user input', () => {
+      expect(testRule(ruleId, `fetch(req.body.url)`)).toBe(true);
+    });
+
+    it('should detect axios.get with params', () => {
+      expect(testRule(ruleId, `axios.get(req.query.endpoint)`)).toBe(true);
+    });
+
+    it('should detect Python requests with f-string', () => {
+      expect(testRule(ruleId, `requests.get(f"http://api.com/{user_input}")`)).toBe(true);
+    });
+
+    it('should NOT detect fetch with static URL', () => {
+      expect(testRule(ruleId, `fetch('https://api.example.com/data')`)).toBe(false);
+    });
+  });
+
+  describe('open-redirect', () => {
+    const ruleId = 'open-redirect';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect res.redirect with req.query', () => {
+      expect(testRule(ruleId, `res.redirect(req.query.returnUrl)`)).toBe(true);
+    });
+
+    it('should detect res.redirect with req.body', () => {
+      expect(testRule(ruleId, `res.redirect(req.body.next)`)).toBe(true);
+    });
+
+    it('should detect window.location with params', () => {
+      expect(testRule(ruleId, `window.location = searchParams.get('redirect')`)).toBe(true);
+    });
+
+    it('should detect Django HttpResponseRedirect', () => {
+      expect(testRule(ruleId, `HttpResponseRedirect(request.GET.get('next'))`)).toBe(true);
+    });
+
+    it('should NOT detect redirect to static URL', () => {
+      expect(testRule(ruleId, `res.redirect('/dashboard')`)).toBe(false);
+    });
+  });
+
+  describe('insecure-cookie', () => {
+    const ruleId = 'insecure-cookie';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect res.cookie for token without flags', () => {
+      expect(testRule(ruleId, `  res.cookie('token', jwt)`)).toBe(true);
+    });
+
+    it('should detect document.cookie setting session', () => {
+      expect(testRule(ruleId, `  document.cookie = "session=abc123"`)).toBe(true);
+    });
+
+    it('should NOT detect commented code', () => {
+      expect(testRule(ruleId, `// res.cookie('token', jwt, { httpOnly: true })`)).toBe(false);
+    });
+
+    it('should NOT detect non-sensitive cookies', () => {
+      expect(testRule(ruleId, `  document.cookie = "theme=dark"`)).toBe(false);
+    });
+  });
+
+  describe('missing-csrf', () => {
+    const ruleId = 'missing-csrf';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect HTML form without CSRF token', () => {
+      expect(testRule(ruleId, `<form method="post" action="/submit"><input type="text"></form>`)).toBe(true);
+    });
+
+    it('should NOT detect form with CSRF token', () => {
+      // Pattern has limited lookahead, so forms with csrf close by should not match
+      expect(testRule(ruleId, `<form method="post" action="/submit">{% csrf_token %}<input></form>`)).toBe(false);
+    });
+  });
+
+  describe('nextjs-exposed-server-action', () => {
+    const ruleId = 'nextjs-exposed-server-action';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect server action without auth check', () => {
+      const code = `'use server';\nexport async function deleteUser(id) {\n  await db.delete(id);\n}`;
+      expect(testRule(ruleId, code)).toBe(true);
+    });
+
+    it('should NOT detect server action with session check', () => {
+      const code = `'use server';\nexport async function deleteUser(id) {\n  const session = await getServerSession();\n}`;
+      expect(testRule(ruleId, code)).toBe(false);
+    });
+  });
+
+  describe('nextjs-api-route-no-auth', () => {
+    const ruleId = 'nextjs-api-route-no-auth';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect API route without auth', () => {
+      const code = `export async function POST(request) {\n  const data = await request.json();\n  return Response.json({ ok: true });\n}`;
+      expect(testRule(ruleId, code)).toBe(true);
+    });
+
+    it('should NOT detect API route with getServerSession', () => {
+      const code = `export async function POST(request) {\n  const session = await getServerSession();\n  if (!session) return;\n}`;
+      expect(testRule(ruleId, code)).toBe(false);
+    });
+  });
+
+  describe('nextjs-dangerouslySetInnerHTML', () => {
+    const ruleId = 'nextjs-dangerouslySetInnerHTML';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect dangerouslySetInnerHTML with variable', () => {
+      expect(testRule(ruleId, `dangerouslySetInnerHTML={{ __html: content }}`)).toBe(true);
+    });
+
+    it('should flag all dangerouslySetInnerHTML for review', () => {
+      // Note: Pattern flags all dangerouslySetInnerHTML for manual review since
+      // it's difficult to distinguish safe vs unsafe usage via regex
+      expect(testRule(ruleId, `dangerouslySetInnerHTML={{ __html: "<b>Hello</b>" }}`)).toBe(true);
+    });
+  });
+
+  describe('django-no-csrf-exempt', () => {
+    const ruleId = 'django-no-csrf-exempt';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect @csrf_exempt decorator', () => {
+      expect(testRule(ruleId, `@csrf_exempt\ndef my_view(request):`)).toBe(true);
+    });
+  });
+
+  describe('fastapi-no-auth-dependency', () => {
+    const ruleId = 'fastapi-no-auth-dependency';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect admin endpoint without Depends', () => {
+      const code = `@app.post("/admin/users")\nasync def create_user(data: dict):`;
+      expect(testRule(ruleId, code)).toBe(true);
+    });
+
+    it('should detect endpoint even with Depends (pattern limitation)', () => {
+      // Note: Current pattern has limitations - it checks function signature
+      // but Depends can appear in various positions. Manual review recommended.
+      const code = `@app.post("/admin/users")\nasync def create_user(data: dict, user: User = Depends(get_current_user)):`;
+      // Pattern matches because it can't reliably parse Python function signatures
+      expect(testRule(ruleId, code)).toBe(true);
+    });
+  });
+
+  describe('nestjs-no-auth-guard', () => {
+    const ruleId = 'nestjs-no-auth-guard';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect admin controller without guard', () => {
+      const code = `@Controller('admin')\nexport class AdminController {`;
+      expect(testRule(ruleId, code)).toBe(true);
+    });
+
+    it('should NOT detect controller with UseGuards', () => {
+      const code = `@Controller('admin')\n@UseGuards(AuthGuard)\nexport class AdminController {`;
+      expect(testRule(ruleId, code)).toBe(false);
+    });
+  });
+
+  describe('react-href-javascript', () => {
+    const ruleId = 'react-href-javascript';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect href with javascript: protocol', () => {
+      expect(testRule(ruleId, `href="javascript:alert(1)"`)).toBe(true);
+    });
+
+    it('should detect dynamic href with javascript:', () => {
+      expect(testRule(ruleId, `href={"javascript:" + code}`)).toBe(true);
+    });
+
+    it('should NOT detect normal href', () => {
+      expect(testRule(ruleId, `href="/dashboard"`)).toBe(false);
+    });
+  });
+
+  describe('express-session-insecure', () => {
+    const ruleId = 'express-session-insecure';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect session without secure options', () => {
+      expect(testRule(ruleId, `session({ secret: 'mysecret' })`)).toBe(true);
+    });
+  });
+});

package/tests/rules/low.test.ts

@@ -0,0 +1,172 @@
+import { describe, it, expect } from 'vitest';
+import { testRule, getRule } from '../helpers';
+
+describe('Low Security Rules', () => {
+  describe('verbose-errors', () => {
+    const ruleId = 'verbose-errors';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect res.json(error)', () => {
+      expect(testRule(ruleId, `res.json(error)`)).toBe(true);
+    });
+
+    it('should detect res.send(err.message)', () => {
+      expect(testRule(ruleId, `res.send(err.message)`)).toBe(true);
+    });
+
+    it('should detect status(500).json with error', () => {
+      expect(testRule(ruleId, `.status(500).json({ error: err.message })`)).toBe(true);
+    });
+
+    it('should NOT detect generic error response', () => {
+      expect(testRule(ruleId, `res.json({ error: 'An error occurred' })`)).toBe(false);
+    });
+  });
+
+  describe('missing-rate-limit', () => {
+    const ruleId = 'missing-rate-limit';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect app.post("/login") without middleware', () => {
+      expect(testRule(ruleId, `app.post("/login", async (`)).toBe(true);
+    });
+
+    it('should detect app.post("/signin") without middleware', () => {
+      expect(testRule(ruleId, `app.post("/signin", async (`)).toBe(true);
+    });
+
+    it('should detect app.post("/register") without middleware', () => {
+      expect(testRule(ruleId, `app.post("/register", async (`)).toBe(true);
+    });
+
+    it('should detect app.post("/forgot-password")', () => {
+      expect(testRule(ruleId, `app.post("/forgot-password", async (`)).toBe(true);
+    });
+
+    it('should NOT detect non-auth endpoints', () => {
+      expect(testRule(ruleId, `app.post("/api/posts", async (`)).toBe(false);
+    });
+  });
+
+  describe('console-log-sensitive', () => {
+    const ruleId = 'console-log-sensitive';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect console.log(password)', () => {
+      expect(testRule(ruleId, `console.log(password)`)).toBe(true);
+    });
+
+    it('should detect console.log(secret)', () => {
+      expect(testRule(ruleId, `console.log(secret)`)).toBe(true);
+    });
+
+    it('should detect console.log(apiKey)', () => {
+      expect(testRule(ruleId, `console.log(apiKey)`)).toBe(true);
+    });
+
+    it('should detect console.log with token variable', () => {
+      expect(testRule(ruleId, `console.log(token)`)).toBe(true);
+    });
+
+    it('should detect Python print with f-string password', () => {
+      expect(testRule(ruleId, `print(f"Password: {password}")`)).toBe(true);
+    });
+
+    it('should NOT detect console.log with string literal', () => {
+      expect(testRule(ruleId, `console.log('Password is valid')`)).toBe(false);
+    });
+
+    it('should NOT detect console.log with non-sensitive data', () => {
+      expect(testRule(ruleId, `console.log(username)`)).toBe(false);
+    });
+  });
+
+  describe('debug-mode-enabled', () => {
+    const ruleId = 'debug-mode-enabled';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect DEBUG = True', () => {
+      expect(testRule(ruleId, `DEBUG = True`)).toBe(true);
+    });
+
+    it('should detect debug: true', () => {
+      expect(testRule(ruleId, `{ debug: true }`)).toBe(true);
+    });
+
+    it('should detect NODE_ENV=development', () => {
+      expect(testRule(ruleId, `process.env.NODE_ENV = 'development'`)).toBe(true);
+    });
+
+    it('should NOT detect DEBUG = False', () => {
+      expect(testRule(ruleId, `DEBUG = False`)).toBe(false);
+    });
+
+    it('should NOT detect debug: false', () => {
+      expect(testRule(ruleId, `{ debug: false }`)).toBe(false);
+    });
+  });
+
+  describe('prototype-pollution', () => {
+    const ruleId = 'prototype-pollution';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect Object.assign with req.body', () => {
+      expect(testRule(ruleId, `Object.assign({}, req.body)`)).toBe(true);
+    });
+
+    it('should detect spread operator with body', () => {
+      expect(testRule(ruleId, `{ ...body, name }`)).toBe(true);
+    });
+
+    it('should detect spread with query', () => {
+      expect(testRule(ruleId, `{ ...query }`)).toBe(true);
+    });
+
+    it('should detect lodash.merge with req.body', () => {
+      expect(testRule(ruleId, `lodash.merge(target, req.body)`)).toBe(true);
+    });
+
+    it('should detect deepmerge with body', () => {
+      expect(testRule(ruleId, `deepmerge(config, body.settings)`)).toBe(true);
+    });
+
+    it('should NOT detect Object.assign with static object', () => {
+      expect(testRule(ruleId, `Object.assign({}, { name: 'test' })`)).toBe(false);
+    });
+  });
+
+  describe('nestjs-exposed-internal-exception', () => {
+    const ruleId = 'nestjs-exposed-internal-exception';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect throw new Error(err.message)', () => {
+      expect(testRule(ruleId, `throw new Error(err.message)`)).toBe(true);
+    });
+
+    it('should detect throw new InternalServerErrorException(error.message)', () => {
+      expect(testRule(ruleId, `throw new InternalServerErrorException(error.message)`)).toBe(true);
+    });
+
+    it('should NOT detect throw new HttpException with generic message', () => {
+      expect(testRule(ruleId, `throw new HttpException('Internal error', 500)`)).toBe(false);
+    });
+  });
+});