@indicated/vibeguard 1.0.1 → 1.1.0

package/src/scanner/rules/definitions.ts

@@ -1,12 +1,17 @@
 import { SecurityRule } from '../../types';
 
 export const securityRules: SecurityRule[] = [
+  // ============================================
+  // FREE TIER RULES - Basic vulnerabilities
+  // ============================================
+
   // CRITICAL
   {
     id: 'hardcoded-secret',
     name: 'Hardcoded API Key/Secret',
     description: 'Hardcoded secrets can be extracted from source code and used maliciously',
     severity: 'critical',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /(['"`])(?:sk-[a-zA-Z0-9]{20,})\1/,
@@ -23,6 +28,7 @@ export const securityRules: SecurityRule[] = [
     name: 'SQL Injection Vulnerability',
     description: 'User input directly concatenated into SQL queries can allow attackers to execute arbitrary SQL',
     severity: 'critical',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     astMatcher: 'sql-injection',
     fix: 'Use parameterized queries or prepared statements',
@@ -32,6 +38,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Dangerous eval() Usage',
     description: 'eval() with dynamic input can execute arbitrary code',
     severity: 'critical',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     astMatcher: 'eval-usage',
     fix: 'Avoid eval() entirely or use safer alternatives like JSON.parse()',
@@ -41,6 +48,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Command Injection Vulnerability',
     description: 'User input passed to shell commands can allow arbitrary command execution',
     severity: 'critical',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /child_process.*exec\s*\([^)]*\$\{/,
@@ -59,6 +67,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Insecure Deserialization',
     description: 'Deserializing untrusted data can lead to remote code execution',
     severity: 'critical',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /pickle\.loads?\s*\(/,
@@ -71,12 +80,13 @@ export const securityRules: SecurityRule[] = [
     fix: 'Use safe deserialization methods. For Python use yaml.safe_load(). Avoid pickle with untrusted data',
   },
 
-  // HIGH
+  // HIGH (Pro - framework-specific)
   {
     id: 'missing-auth-route',
     name: 'Missing Authentication on API Route',
     description: 'API routes without authentication checks can be accessed by anyone',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     astMatcher: 'missing-auth',
     fix: 'Add authentication middleware or check session/token at route start',
@@ -86,6 +96,7 @@ export const securityRules: SecurityRule[] = [
     name: 'XSS via innerHTML/dangerouslySetInnerHTML',
     description: 'Setting innerHTML with user data can execute malicious scripts',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript'],
     astMatcher: 'xss-innerhtml',
     fix: 'Use textContent instead of innerHTML, or sanitize with DOMPurify',
@@ -95,6 +106,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Secrets in localStorage/sessionStorage',
     description: 'Storing sensitive data in browser storage exposes it to XSS attacks',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript'],
     patterns: [
       /localStorage\.setItem\s*\(\s*['"`](?:token|jwt|auth|session|api[_-]?key|secret|password|credential)/i,
@@ -107,6 +119,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Supabase Without RLS',
     description: 'Direct table access without Row Level Security allows unauthorized data access',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /\.from\s*\(\s*['"`][^'"`]+['"`]\s*\)\.(?:select|insert|update|delete)/,
@@ -119,6 +132,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Firebase Without Security Rules',
     description: 'Firebase operations without proper security rules can expose data',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /firestore\(\)\.collection\s*\(\s*['"`][^'"`]+['"`]\s*\)/,
@@ -131,6 +145,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Potential IDOR Vulnerability',
     description: 'Direct object references without ownership check allow unauthorized access',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript'],
     astMatcher: 'idor',
     fix: 'Always verify the requesting user owns or has access to the resource',
@@ -140,6 +155,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Path Traversal Vulnerability',
     description: 'User input in file paths can allow access to arbitrary files',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /(?:readFile|writeFile|readFileSync|writeFileSync|createReadStream|createWriteStream)\s*\([^)]*(?:req\.|params\.|query\.|body\.|\$\{)/,
@@ -155,6 +171,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Server-Side Request Forgery (SSRF)',
     description: 'User-controlled URLs can be used to access internal services',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /(?:fetch|axios\.get|axios\.post|request|got|node-fetch)\s*\([^)]*(?:req\.|params\.|query\.|body\.|\$\{)/,
@@ -169,6 +186,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Open Redirect Vulnerability',
     description: 'Redirecting to user-supplied URLs can be used for phishing attacks',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /res\.redirect\s*\([^)]*(?:req\.|params\.|query\.|body\.)/,
@@ -185,6 +203,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Insecure Cookie Configuration',
     description: 'Cookies without security flags are vulnerable to theft and CSRF',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /^\s*res\.cookie\s*\(\s*['"`](?:token|session|auth|jwt)[^'"]*['"`]\s*,\s*\w+\s*\)/im,
@@ -198,6 +217,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Missing CSRF Protection',
     description: 'Forms without CSRF tokens can be exploited by malicious sites',
     severity: 'high',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /<form[^>]+method\s*=\s*['"`]post['"`][^>]*>(?![^<]{0,200}csrf)/i,
@@ -206,12 +226,13 @@ export const securityRules: SecurityRule[] = [
     fix: 'Implement CSRF tokens using csurf (Express) or Django/Flask CSRF middleware',
   },
 
-  // MEDIUM
+  // MEDIUM (Free tier)
   {
     id: 'permissive-cors',
     name: 'Permissive CORS Configuration',
     description: 'Allowing all origins can enable CSRF attacks from any website',
     severity: 'medium',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /Access-Control-Allow-Origin['"`:]\s*['"`]\*['"`]/,
@@ -225,6 +246,7 @@ export const securityRules: SecurityRule[] = [
     name: 'HTTP Instead of HTTPS',
     description: 'Unencrypted HTTP connections can be intercepted',
     severity: 'medium',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /['"`]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0)[^'"`]+['"`]/,
@@ -236,6 +258,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Weak Password Requirements',
     description: 'Password validation that allows weak passwords',
     severity: 'medium',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /password\.length\s*(?:>=?|>)\s*[1-5](?!\d)/,
@@ -249,6 +272,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Hardcoded IP Address',
     description: 'Hardcoded IP addresses make configuration inflexible and may expose internal infrastructure',
     severity: 'medium',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /['"`](?:10\.\d{1,3}\.\d{1,3}\.\d{1,3})['"`]/,
@@ -263,6 +287,7 @@ export const securityRules: SecurityRule[] = [
     name: 'XML External Entity (XXE) Injection',
     description: 'XML parsers with external entities enabled can leak files or perform SSRF',
     severity: 'medium',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /xml2js/,
@@ -281,6 +306,7 @@ export const securityRules: SecurityRule[] = [
     name: 'JWT None Algorithm Vulnerability',
     description: 'Accepting "none" algorithm in JWT allows token forgery',
     severity: 'medium',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /algorithms\s*:\s*\[[^\]]*['"`]none['"`]/i,
@@ -291,12 +317,13 @@ export const securityRules: SecurityRule[] = [
     fix: 'Always specify allowed algorithms explicitly and never include "none"',
   },
 
-  // LOW
+  // LOW (Free tier)
   {
     id: 'verbose-errors',
     name: 'Verbose Error Messages to Client',
     description: 'Detailed error messages can leak implementation details to attackers',
     severity: 'low',
+    tier: 'free',
     languages: ['javascript', 'typescript'],
     patterns: [
       /res\.(?:json|send)\s*\(\s*(?:err|error)(?:\.message|\.stack)?/,
@@ -309,6 +336,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Missing Rate Limiting',
     description: 'Auth endpoints without rate limiting are vulnerable to brute force attacks',
     severity: 'low',
+    tier: 'free',
     languages: ['javascript', 'typescript'],
     patterns: [
       /app\.post\s*\(\s*['"`]\/(?:login|signin|auth\/login|api\/login)['"`]\s*,\s*(?:async\s*)?\(/,
@@ -323,6 +351,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Logging Sensitive Data',
     description: 'Logging sensitive information can expose it in log files',
     severity: 'low',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /console\.log\s*\(\s*(?:password|secret|apiKey|token|credential|accessToken|refreshToken)\s*[,)]/i,
@@ -338,6 +367,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Debug Mode Enabled in Production',
     description: 'Debug mode can expose sensitive information and stack traces',
     severity: 'low',
+    tier: 'free',
     languages: ['javascript', 'typescript', 'python'],
     patterns: [
       /DEBUG\s*=\s*True/,
@@ -352,6 +382,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Potential Prototype Pollution',
     description: 'Merging user input into objects can allow prototype pollution attacks',
     severity: 'low',
+    tier: 'free',
     languages: ['javascript', 'typescript'],
     patterns: [
       /Object\.assign\s*\(\s*\{\}\s*,[^)]*(?:req\.|body\.|params\.|query\.)/,
@@ -363,7 +394,7 @@ export const securityRules: SecurityRule[] = [
   },
 
   // ============================================
-  // FRAMEWORK-SPECIFIC RULES
+  // PRO TIER RULES - Framework-specific
   // ============================================
 
   // --- Next.js ---
@@ -372,6 +403,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Next.js Server Action Without Auth',
     description: 'Server actions are public endpoints and need authentication checks',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /['"`]use server['"`]\s*;?\s*(?:export\s+)?(?:async\s+)?function\s+\w+\s*\([^)]*\)\s*\{(?![^}]*(?:auth|session|getServerSession|currentUser))/,
@@ -383,6 +415,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Next.js API Route Without Auth Check',
     description: 'API routes in Next.js are public by default and need explicit auth',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /export\s+(?:default\s+)?(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?![^}]{0,500}(?:getServerSession|auth|getToken|verifyToken|currentUser))/,
@@ -394,6 +427,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Next.js dangerouslySetInnerHTML with User Data',
     description: 'Using dangerouslySetInnerHTML with dynamic data can cause XSS',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*(?!['"`])/,
@@ -405,6 +439,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Next.js Private Env Exposed to Client',
     description: 'Environment variables without NEXT_PUBLIC_ prefix should not be in client code',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /['"`]use client['"`][\s\S]*process\.env\.(?!NEXT_PUBLIC_)[A-Z_]+/,
@@ -418,6 +453,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Django DEBUG=True in Production',
     description: 'Debug mode exposes sensitive information and should never be enabled in production',
     severity: 'critical',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /DEBUG\s*=\s*True/,
@@ -429,6 +465,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Django SECRET_KEY Hardcoded',
     description: 'Hardcoded SECRET_KEY can be extracted and used to forge sessions',
     severity: 'critical',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /SECRET_KEY\s*=\s*['"`][^'"`]{20,}['"`]/,
@@ -440,6 +477,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Django Raw SQL Query',
     description: 'Raw SQL queries with string formatting are vulnerable to SQL injection',
     severity: 'critical',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /\.raw\s*\(\s*f['"`]/,
@@ -454,6 +492,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Django CSRF Exemption',
     description: 'Disabling CSRF protection exposes the endpoint to cross-site attacks',
     severity: 'high',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /@csrf_exempt/,
@@ -465,6 +504,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Django ALLOWED_HOSTS Wildcard',
     description: 'Allowing all hosts can enable host header attacks',
     severity: 'medium',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /ALLOWED_HOSTS\s*=\s*\[\s*['"`]\*['"`]\s*\]/,
@@ -478,6 +518,7 @@ export const securityRules: SecurityRule[] = [
     name: 'FastAPI Endpoint Without Auth Dependency',
     description: 'Sensitive endpoints should use Depends() for authentication',
     severity: 'high',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /@app\.(?:post|put|delete|patch)\s*\(\s*['"`]\/(?:admin|user|account|settings)[^'"]*['"`]\s*\)\s*\n(?:async\s+)?def\s+\w+\s*\([^)]*\)(?![^:]*Depends)/,
@@ -489,6 +530,7 @@ export const securityRules: SecurityRule[] = [
     name: 'FastAPI CORS Allow All Origins',
     description: 'Allowing all origins with credentials enabled is a security risk',
     severity: 'medium',
+    tier: 'pro',
     languages: ['python'],
     patterns: [
       /add_middleware\s*\(\s*CORSMiddleware[^)]*allow_origins\s*=\s*\[\s*['"`]\*['"`]\s*\]/,
@@ -502,6 +544,7 @@ export const securityRules: SecurityRule[] = [
     name: 'NestJS Controller Without Auth Guard',
     description: 'Controllers handling sensitive data should use authentication guards',
     severity: 'high',
+    tier: 'pro',
     languages: ['typescript'],
     patterns: [
       /@Controller\s*\(\s*['"`](?:admin|user|account|settings|payment)[^'"]*['"`]\s*\)\s*\nexport\s+class\s+\w+(?![^{]*@UseGuards)/,
@@ -513,6 +556,7 @@ export const securityRules: SecurityRule[] = [
     name: 'NestJS Internal Exception Exposed',
     description: 'Throwing raw errors exposes internal details to clients',
     severity: 'low',
+    tier: 'pro',
     languages: ['typescript'],
     patterns: [
       /throw\s+new\s+(?:Error|InternalServerErrorException)\s*\(\s*(?:err|error)\.message/,
@@ -526,6 +570,7 @@ export const securityRules: SecurityRule[] = [
     name: 'React href with javascript: Protocol',
     description: 'javascript: URLs in href can execute arbitrary code',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /href\s*=\s*\{[^}]*['"`]javascript:/,
@@ -538,6 +583,7 @@ export const securityRules: SecurityRule[] = [
     name: 'React URL Parameters in Dangerous Context',
     description: 'URL parameters used in dangerous contexts can cause XSS',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /useSearchParams\s*\(\s*\)[\s\S]*dangerouslySetInnerHTML/,
@@ -552,6 +598,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Express Missing Security Headers (Helmet)',
     description: 'Express apps should use Helmet for security headers',
     severity: 'medium',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /express\s*\(\s*\)(?![^;]*helmet)/,
@@ -563,6 +610,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Express Body Parser Without Size Limit',
     description: 'Unlimited body size can lead to denial of service attacks',
     severity: 'medium',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /express\.json\s*\(\s*\)/,
@@ -575,6 +623,7 @@ export const securityRules: SecurityRule[] = [
     name: 'Express Session Insecure Configuration',
     description: 'Session cookies should be secure and httpOnly',
     severity: 'high',
+    tier: 'pro',
     languages: ['javascript', 'typescript'],
     patterns: [
       /session\s*\(\s*\{[^}]*secret\s*:[^}]*\}\s*\)(?![^)]*(?:secure|httpOnly))/,

package/src/scanner/rules/matcher.ts

@@ -35,6 +35,7 @@ export function matchPatterns(
         column,
         code: context.lines[lineNumber - 1] || '',
         message: rule.description,
+        isRestricted: false,
       });
 
       // Prevent infinite loops on zero-width matches

package/src/types.ts

@@ -1,10 +1,12 @@
 export type Severity = 'critical' | 'high' | 'medium' | 'low';
+export type Tier = 'free' | 'pro';
 
 export interface SecurityRule {
   id: string;
   name: string;
   description: string;
   severity: Severity;
+  tier: Tier;
   languages: ('javascript' | 'typescript' | 'python')[];
   patterns?: RegExp[];
   astMatcher?: string;
@@ -18,6 +20,7 @@ export interface Finding {
   column: number;
   code: string;
   message: string;
+  isRestricted: boolean;  // true if user on free tier and rule is 'pro'
 }
 
 export interface ScanResult {