@reliabilityworks/core 0.4.0 → 0.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@reliabilityworks/core",
-  "version": "0.4.0",
+  "version": "0.5.0",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {

package/test/fixtures/monorepo/apps/kit/src/sveltekit-rules.ts

@@ -0,0 +1,66 @@
+export const sveltekitRulesFixture = {
+  note: 'This file is a fixture used by VibeSec tests.',
+}
+
+export const sveltekitSecurityFixtures = [
+  "throw redirect(302, url.searchParams.get('next'))",
+  "redirect(301, url.searchParams.get('next'))",
+  "redirect(302, url.searchParams.get('next'))",
+  "cookies.set('session', token)",
+  "cookies.set('session', token, { secure: false, httpOnly: false, sameSite: 'none', domain: '.example.com', path: '/' })",
+  "Content-Security-Policy', \"script-src 'self' 'unsafe-inline'\"",
+  "Content-Security-Policy', \"script-src 'self' 'unsafe-eval'\"",
+  'X-Powered-By',
+  "'http://example.com'",
+  "process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'",
+  'rejectUnauthorized: false',
+  'http://localhost',
+  '169.254.169.254',
+  "fetch(url.searchParams.get('url'))",
+  'path.join(userInput)',
+  "readFile(url.searchParams.get('path'))",
+  "writeFile(url.searchParams.get('path'))",
+  'eval(userInput)',
+  "new Function('return 1')()",
+  "exec('id')",
+  "execSync('id')",
+  "spawn('sh', ['-c', 'id'])",
+  "spawnSync('sh', ['-c', 'id'])",
+  "fork('worker.js')",
+  "createHash('md5')",
+  "createHash('sha1')",
+  'Math.random()',
+  "cookieParser('super-secret-cookie-parser')",
+  "SESSION_SECRET = 'hardcoded-session-secret'",
+  "jwt.sign(payload, 'super-secret-jwt')",
+  "algorithms: ['none']",
+  'bcrypt.hash(password, 10)',
+  'password === input',
+  'SELECT * FROM users + req.query.id',
+  '$where',
+  "new RegExp(url.searchParams.get('q'))",
+  '{@html content}',
+  'text/html',
+  "Access-Control-Allow-Origin', '*'",
+  "Access-Control-Allow-Headers', '*'",
+  "Access-Control-Allow-Methods', '*'",
+  'credentials: true',
+  'debug: true',
+  'console.log(process.env.SECRET)',
+  "authorization console.log('leak')",
+  'console.log(await request.json())',
+  'console.log(request.headers)',
+  'JSON.parse(await request.text())',
+  'xml2js',
+  'graphql-playground',
+  'rateLimit()',
+  'csrf: false',
+  'upload.any()',
+  '"/tmp/uploads"',
+  "{ headers: { Location: url.searchParams.get('next') } }",
+].join('\n')
+
+export const sveltekitTemplateInterpolationFixture = "${url.searchParams.get('q')}"
+
+export const sveltekitSqlTemplateInterpolationFixture =
+  'SELECT * FROM users WHERE id = ${userInput}'

package/test/sveltekitRulesetCoverage.test.js

@@ -0,0 +1,29 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const test = require('node:test')
+
+const { scanProject } = require('../dist/index.js')
+
+test('sveltekit ruleset has fixture coverage', async () => {
+  const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'kit')
+  const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'sveltekit', 'rules.json')
+
+  const raw = await fs.readFile(rulesPath, 'utf8')
+  const rules = JSON.parse(raw)
+
+  assert.ok(Array.isArray(rules))
+  assert.ok(rules.length >= 60, `Expected at least 60 sveltekit rules, got ${rules.length}`)
+
+  const expectedIds = rules.map((r) => r.id)
+  const result = await scanProject({
+    rootDir: fixtureRoot,
+    pathBaseDir: fixtureRoot,
+    additionalRules: rules,
+  })
+
+  const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
+  const missing = expectedIds.filter((id) => !foundIds.has(id))
+
+  assert.equal(missing.length, 0, `Missing sveltekit fixture coverage for: ${missing.join(', ')}`)
+})