@indicated/vibeguard 1.5.2 → 1.7.0

package/src/mcp/server.ts

@@ -245,6 +245,256 @@ function analyzeContext(finding: Finding, cwd: string): { signals: ContextSignal
       question = 'Is this a public key (anon/publishable) or an actual secret? Supabase anon keys are safe to expose.';
       break;
 
+    case 'insecure-randomness':
+      // Check if used for non-security purposes
+      if (finding.code.includes('color') || finding.code.includes('animation') ||
+          finding.code.includes('shuffle') || finding.code.includes('sample') ||
+          finding.code.includes('placeholder') || finding.code.includes('display')) {
+        signals.push({ signal: 'Appears to be used for non-security purposes (UI/display)', type: 'positive' });
+        confidence = 'low';
+      }
+      if (finding.code.includes('token') || finding.code.includes('secret') ||
+          finding.code.includes('password') || finding.code.includes('session') ||
+          finding.code.includes('nonce') || finding.code.includes('otp')) {
+        signals.push({ signal: 'Used for security-sensitive value generation', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is Math.random()/random used for security tokens or just UI/cosmetic purposes?';
+      break;
+
+    case 'weak-cryptography':
+      // Check if used for password hashing vs checksums
+      if (finding.code.includes('password') || finding.code.includes('secret') ||
+          finding.code.includes('token') || finding.code.includes('auth')) {
+        signals.push({ signal: 'Weak hash used for security-sensitive data', type: 'negative' });
+        confidence = 'high';
+      }
+      if (finding.code.includes('checksum') || finding.code.includes('etag') ||
+          finding.code.includes('cache') || finding.code.includes('fingerprint')) {
+        signals.push({ signal: 'May be used for non-security checksum/cache key', type: 'positive' });
+        confidence = 'low';
+      }
+      question = 'Is MD5/SHA1 used for security (bad) or for checksums/cache keys (acceptable)?';
+      break;
+
+    case 'nosql-injection':
+      // Check for input sanitization
+      if (fileContent.includes('mongo-sanitize') || fileContent.includes('express-mongo-sanitize') ||
+          fileContent.includes('sanitize') || fileContent.includes('validator')) {
+        signals.push({ signal: 'File uses input sanitization library', type: 'positive' });
+        confidence = 'low';
+      }
+      if (finding.code.includes('req.body') || finding.code.includes('req.query')) {
+        signals.push({ signal: 'User input passed directly to query', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is user input sanitized before being used in the NoSQL query?';
+      break;
+
+    case 'disabled-tls-verification':
+      if (fileContent.includes('development') || fileContent.includes('dev') ||
+          fileContent.includes('node_env') || fileContent.includes('test')) {
+        signals.push({ signal: 'May be conditionally enabled for development only', type: 'positive' });
+        confidence = 'medium';
+      } else {
+        signals.push({ signal: 'TLS verification unconditionally disabled', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is TLS verification only disabled in development, or also in production?';
+      break;
+
+    case 'unsafe-regex-construction':
+      if (fileContent.includes('escaperegex') || fileContent.includes('escape-string-regexp') ||
+          fileContent.includes('escaperegexp') || fileContent.includes('lodash') && fileContent.includes('escaperegexp')) {
+        signals.push({ signal: 'File imports regex escaping utility', type: 'positive' });
+        confidence = 'low';
+      }
+      if (finding.code.includes('req.') || finding.code.includes('query.') ||
+          finding.code.includes('params.') || finding.code.includes('body.')) {
+        signals.push({ signal: 'User input used directly in RegExp constructor', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is the user input escaped before being used in the RegExp constructor?';
+      break;
+
+    case 'postmessage-no-origin':
+      if (fileContent.includes('event.origin') || fileContent.includes('e.origin') ||
+          fileContent.includes('msg.origin')) {
+        signals.push({ signal: 'File checks origin elsewhere (may not be in handler)', type: 'positive' });
+        confidence = 'medium';
+      } else {
+        signals.push({ signal: 'No origin check found in file', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Does the message event handler validate event.origin before processing data?';
+      break;
+
+    case 'hardcoded-db-credentials':
+      if (finding.code.includes('localhost') || finding.code.includes('127.0.0.1') ||
+          finding.code.includes('example.com') || finding.code.includes('test')) {
+        signals.push({ signal: 'Connection string points to localhost/test (likely development)', type: 'positive' });
+        confidence = 'low';
+      }
+      if (finding.code.includes('.env') || fileContent.includes('process.env') ||
+          fileContent.includes('os.environ')) {
+        signals.push({ signal: 'File also uses environment variables (may be fallback)', type: 'positive' });
+        confidence = 'medium';
+      }
+      question = 'Is this a development-only connection string, or does it contain production credentials?';
+      break;
+
+    case 'ssti-vulnerability':
+      signals.push({ signal: 'User-controlled template rendering is almost always dangerous', type: 'negative' });
+      confidence = 'high';
+      question = 'Is user input being rendered as a template? This is nearly always a critical vulnerability.';
+      break;
+
+    case 'timing-attack':
+      if (finding.code.includes('timingsafeequal') || finding.code.includes('compare_digest') ||
+          fileContent.includes('timingsafeequal') || fileContent.includes('compare_digest')) {
+        signals.push({ signal: 'File uses constant-time comparison elsewhere', type: 'positive' });
+        confidence = 'low';
+      }
+      if (finding.code.includes('===') && (finding.code.includes('token') || finding.code.includes('secret'))) {
+        signals.push({ signal: 'Direct === comparison of secret values', type: 'negative' });
+        confidence = 'medium';
+      }
+      question = 'Is this comparing secrets/tokens? If so, use constant-time comparison.';
+      break;
+
+    case 'electron-insecure-config':
+      if (finding.code.includes('nodeIntegration') && finding.code.includes('true')) {
+        signals.push({ signal: 'nodeIntegration enabled exposes Node.js APIs to web content', type: 'negative' });
+        confidence = 'high';
+      }
+      if (finding.code.includes('contextIsolation') && finding.code.includes('false')) {
+        signals.push({ signal: 'contextIsolation disabled allows prototype pollution from web content', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Are these Electron security settings intentionally relaxed? This is dangerous for apps loading remote content.';
+      break;
+
+    case 'mass-assignment':
+      if (fileContent.includes('whitelist') || fileContent.includes('allowedfields') ||
+          fileContent.includes('pick') || fileContent.includes('only')) {
+        signals.push({ signal: 'File may use field whitelisting', type: 'positive' });
+        confidence = 'medium';
+      }
+      if (finding.code.includes('req.body') || finding.code.includes('request.data')) {
+        signals.push({ signal: 'Full request body passed to ORM operation', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is the user input filtered/whitelisted before being passed to the ORM create/update?';
+      break;
+
+    case 'jwt-missing-exp':
+      if (fileContent.includes('expiresIn') || fileContent.includes('exp:') || fileContent.includes("'exp'")) {
+        signals.push({ signal: 'File sets expiration elsewhere', type: 'positive' });
+        confidence = 'low';
+      } else {
+        signals.push({ signal: 'No expiration configuration found in file', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Does the JWT payload include an exp claim, or is expiresIn set elsewhere?';
+      break;
+
+    case 'jwt-weak-secret':
+      if (finding.code.includes('process.env') || finding.code.includes('os.environ') ||
+          finding.code.includes('config.')) {
+        signals.push({ signal: 'Secret loaded from environment/config', type: 'positive' });
+        confidence = 'low';
+      }
+      if (/['"`][^'"`]{1,15}['"`]/.test(finding.code)) {
+        signals.push({ signal: 'Short hardcoded string used as signing secret', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is the JWT signing secret loaded from environment variables or hardcoded?';
+      break;
+
+    case 'csp-unsafe-inline':
+      if (fileContent.includes('nonce') || fileContent.includes('hash-')) {
+        signals.push({ signal: 'File uses nonce or hash-based CSP (may be transitioning)', type: 'positive' });
+        confidence = 'medium';
+      }
+      if (finding.code.includes('unsafe-eval')) {
+        signals.push({ signal: 'unsafe-eval allows arbitrary script execution', type: 'negative' });
+        confidence = 'high';
+      }
+      if (finding.code.includes('unsafe-inline')) {
+        signals.push({ signal: 'unsafe-inline defeats XSS protection from CSP', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is unsafe-inline/unsafe-eval required for third-party scripts, or can nonces/hashes be used instead?';
+      break;
+
+    case 'cors-credentials-wildcard':
+      signals.push({ signal: 'Wildcard origin with credentials allows any site to make authenticated requests', type: 'negative' });
+      confidence = 'high';
+      question = 'Should this API be accessible from any origin with credentials? Restrict to specific trusted origins.';
+      break;
+
+    case 'password-hash-weak':
+      if (fileContent.includes('bcrypt') || fileContent.includes('scrypt') || fileContent.includes('argon2')) {
+        signals.push({ signal: 'File also uses a proper KDF (may be migrating)', type: 'positive' });
+        confidence = 'medium';
+      } else {
+        signals.push({ signal: 'No proper password KDF found in file', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is this hashing passwords for storage? Use bcrypt/scrypt/argon2 instead of raw hash functions.';
+      break;
+
+    case 'password-plaintext-storage':
+      if (fileContent.includes('bcrypt') || fileContent.includes('hash') ||
+          fileContent.includes('scrypt') || fileContent.includes('argon2')) {
+        signals.push({ signal: 'File contains hashing logic (may be applied before this line)', type: 'positive' });
+        confidence = 'medium';
+      } else {
+        signals.push({ signal: 'No password hashing found in file', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is the password hashed before being stored? Check if bcrypt.hash() or similar is called upstream.';
+      break;
+
+    case 'zip-slip':
+      if (fileContent.includes('path.resolve') || fileContent.includes('path.normalize') ||
+          fileContent.includes('os.path.abspath') || fileContent.includes('startswith')) {
+        signals.push({ signal: 'File has path validation logic', type: 'positive' });
+        confidence = 'low';
+      } else {
+        signals.push({ signal: 'No path validation found before extraction', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Are extracted file paths validated to prevent writing outside the target directory?';
+      break;
+
+    case 'http-client-no-timeout':
+      if (fileContent.includes('timeout') || fileContent.includes('AbortController') ||
+          fileContent.includes('signal')) {
+        signals.push({ signal: 'File configures timeout elsewhere (may be set globally)', type: 'positive' });
+        confidence = 'low';
+      } else {
+        signals.push({ signal: 'No timeout configuration found in file', type: 'negative' });
+        confidence = 'medium';
+      }
+      question = 'Is a timeout configured globally (e.g., via session defaults) or should one be added per-request?';
+      break;
+
+    case 's3-public-read':
+      if (relativePath.includes('test') || relativePath.includes('example') || relativePath.includes('sample')) {
+        signals.push({ signal: 'File appears to be test/example code', type: 'positive' });
+        confidence = 'low';
+      }
+      if (fileContent.includes('public') && (fileContent.includes('static') || fileContent.includes('assets') || fileContent.includes('cdn'))) {
+        signals.push({ signal: 'May be intentional public bucket for static assets/CDN', type: 'positive' });
+        confidence = 'medium';
+      } else {
+        signals.push({ signal: 'S3 bucket with public access policy', type: 'negative' });
+        confidence = 'high';
+      }
+      question = 'Is this S3 bucket intentionally public (static assets/CDN) or should access be restricted?';
+      break;
+
     default:
       question = `Verify if this ${finding.rule.name} finding is a real security issue in your specific context.`;
   }

package/src/scanner/parsers/python.ts

@@ -34,6 +34,123 @@ const pythonPatterns: { ruleId: string; pattern: RegExp }[] = [
     ruleId: 'verbose-errors',
     pattern: /app\.run\s*\([^)]*debug\s*=\s*True/i,
   },
+  // Insecure randomness - Python specific
+  {
+    ruleId: 'insecure-randomness',
+    pattern: /(?:token|key|secret|session|nonce|salt|otp|password)\s*=\s*['"`]?.*?random\.(?:choice|randint|sample)\s*\(/i,
+  },
+  {
+    ruleId: 'insecure-randomness',
+    pattern: /random\.(?:random|randint|choice|getrandbits)\s*\(\s*\).*(?:token|key|secret|session|password|nonce)/i,
+  },
+  // Weak cryptography - Python hashlib
+  {
+    ruleId: 'weak-cryptography',
+    pattern: /hashlib\.(?:md5|sha1)\s*\(\s*(?:password|secret|token)/i,
+  },
+  // Python SSTI - render_template_string
+  {
+    ruleId: 'ssti-vulnerability',
+    pattern: /render_template_string\s*\(\s*(?:request\.(?:args|form|data|values)|f['"`])/,
+  },
+  // Python assert for security
+  {
+    ruleId: 'python-assert-security',
+    pattern: /^\s*assert\s+.*(?:is_admin|is_authenticated|is_staff|has_perm|permission|authorized)/m,
+  },
+  // Unsafe tempfile
+  {
+    ruleId: 'unsafe-tempfile',
+    pattern: /tempfile\.mktemp\s*\(/,
+  },
+  // Python timing attack
+  {
+    ruleId: 'timing-attack',
+    pattern: /(?:token|secret|password|api_key|signature)\s*==\s*(?:request\.|data\[|params\[)/i,
+  },
+  // Python NoSQL injection (PyMongo)
+  {
+    ruleId: 'nosql-injection',
+    pattern: /\.find(?:_one)?\s*\(\s*(?:request\.(?:json|data|form|args)|json\.loads)/,
+  },
+  // Python mass assignment
+  {
+    ruleId: 'mass-assignment',
+    pattern: /\.objects\.create\s*\(\s*\*\*request\.(?:data|POST)/,
+  },
+  // Python log injection
+  {
+    ruleId: 'log-injection',
+    pattern: /(?:logger|logging)\.(?:info|warn|warning|error|debug)\s*\(\s*f?['"`][^'"`]*\{(?:request\.|req\.|user_input|data\[)/,
+  },
+
+  // JWT missing expiration - Python (PyJWT)
+  {
+    ruleId: 'jwt-missing-exp',
+    pattern: /jwt\.encode\s*\(\s*\{(?![^}]*['"`]exp['"`])[^}]*\}\s*,/,
+  },
+  // JWT weak secret - Python
+  {
+    ruleId: 'jwt-weak-secret',
+    pattern: /jwt\.encode\s*\([^,]+,\s*['"`][^'"`]{1,15}['"`]/,
+  },
+  {
+    ruleId: 'jwt-weak-secret',
+    pattern: /jwt\.decode\s*\([^,]+,\s*['"`][^'"`]{1,15}['"`]/,
+  },
+
+  // CORS credentials wildcard - FastAPI/Flask
+  {
+    ruleId: 'cors-credentials-wildcard',
+    pattern: /allow_origins\s*=\s*\[\s*['"`]\*['"`]\s*\][\s\S]{0,100}allow_credentials\s*=\s*True/,
+  },
+  {
+    ruleId: 'cors-credentials-wildcard',
+    pattern: /allow_credentials\s*=\s*True[\s\S]{0,100}allow_origins\s*=\s*\[\s*['"`]\*['"`]\s*\]/,
+  },
+
+  // Password hash weak - Python hashlib for passwords
+  {
+    ruleId: 'password-hash-weak',
+    pattern: /hashlib\.(?:md5|sha1|sha256)\s*\(\s*(?:password|passwd|pass|pwd)/i,
+  },
+
+  // Password plaintext storage - Django/SQLAlchemy
+  {
+    ruleId: 'password-plaintext-storage',
+    pattern: /\.(?:create|create_user)\s*\([^)]*password\s*=\s*(?:request\.(?:data|POST)\[?['"`]?password|data\[['"`]password)/,
+  },
+  {
+    ruleId: 'password-plaintext-storage',
+    pattern: /\.password\s*=\s*(?:request\.(?:data|POST|form)\[?['"`]?password|data\[['"`]password)/,
+  },
+
+  // Zip slip - Python zipfile/tarfile
+  {
+    ruleId: 'zip-slip',
+    pattern: /(?:ZipFile|zipfile\.ZipFile)\s*\([^)]*\)\.extractall\s*\(/,
+  },
+  {
+    ruleId: 'zip-slip',
+    pattern: /tarfile\.open\s*\([^)]*\)\.extractall\s*\(/,
+  },
+
+  // HTTP client no timeout - Python requests
+  {
+    ruleId: 'http-client-no-timeout',
+    pattern: /requests\.(?:get|post|put|delete|patch|head)\s*\(\s*[^)]*\)(?<![^)]*timeout)/,
+  },
+  // urllib without timeout
+  {
+    ruleId: 'http-client-no-timeout',
+    pattern: /urllib\.request\.urlopen\s*\(\s*[^)]*\)(?<![^)]*timeout)/,
+  },
+
+  // S3 public read - boto3
+  {
+    ruleId: 's3-public-read',
+    pattern: /ACL\s*=\s*['"`]public-read(?:-write)?['"`]/,
+  },
 ];
 
 export function scanPythonWithPatterns(