@reliabilityworks/core 0.4.0 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@reliabilityworks/core",
-  "version": "0.4.0",
+  "version": "0.6.0",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "scripts": {

package/test/fixtures/monorepo/apps/kit/src/sveltekit-rules.ts

@@ -0,0 +1,66 @@
+export const sveltekitRulesFixture = {
+  note: 'This file is a fixture used by VibeSec tests.',
+}
+
+export const sveltekitSecurityFixtures = [
+  "throw redirect(302, url.searchParams.get('next'))",
+  "redirect(301, url.searchParams.get('next'))",
+  "redirect(302, url.searchParams.get('next'))",
+  "cookies.set('session', token)",
+  "cookies.set('session', token, { secure: false, httpOnly: false, sameSite: 'none', domain: '.example.com', path: '/' })",
+  "Content-Security-Policy', \"script-src 'self' 'unsafe-inline'\"",
+  "Content-Security-Policy', \"script-src 'self' 'unsafe-eval'\"",
+  'X-Powered-By',
+  "'http://example.com'",
+  "process.env['NODE_TLS_REJECT_UNAUTHORIZED'] = '0'",
+  'rejectUnauthorized: false',
+  'http://localhost',
+  '169.254.169.254',
+  "fetch(url.searchParams.get('url'))",
+  'path.join(userInput)',
+  "readFile(url.searchParams.get('path'))",
+  "writeFile(url.searchParams.get('path'))",
+  'eval(userInput)',
+  "new Function('return 1')()",
+  "exec('id')",
+  "execSync('id')",
+  "spawn('sh', ['-c', 'id'])",
+  "spawnSync('sh', ['-c', 'id'])",
+  "fork('worker.js')",
+  "createHash('md5')",
+  "createHash('sha1')",
+  'Math.random()',
+  "cookieParser('super-secret-cookie-parser')",
+  "SESSION_SECRET = 'hardcoded-session-secret'",
+  "jwt.sign(payload, 'super-secret-jwt')",
+  "algorithms: ['none']",
+  'bcrypt.hash(password, 10)',
+  'password === input',
+  'SELECT * FROM users + req.query.id',
+  '$where',
+  "new RegExp(url.searchParams.get('q'))",
+  '{@html content}',
+  'text/html',
+  "Access-Control-Allow-Origin', '*'",
+  "Access-Control-Allow-Headers', '*'",
+  "Access-Control-Allow-Methods', '*'",
+  'credentials: true',
+  'debug: true',
+  'console.log(process.env.SECRET)',
+  "authorization console.log('leak')",
+  'console.log(await request.json())',
+  'console.log(request.headers)',
+  'JSON.parse(await request.text())',
+  'xml2js',
+  'graphql-playground',
+  'rateLimit()',
+  'csrf: false',
+  'upload.any()',
+  '"/tmp/uploads"',
+  "{ headers: { Location: url.searchParams.get('next') } }",
+].join('\n')
+
+export const sveltekitTemplateInterpolationFixture = "${url.searchParams.get('q')}"
+
+export const sveltekitSqlTemplateInterpolationFixture =
+  'SELECT * FROM users WHERE id = ${userInput}'

package/test/fixtures/monorepo/apps/rn/Info.plist

@@ -5,6 +5,29 @@
     <dict>
       <key>NSAllowsArbitraryLoads</key>
       <true />
+      <key>NSAllowsArbitraryLoadsInWebContent</key>
+      <true />
+      <key>NSAllowsArbitraryLoadsForMedia</key>
+      <true />
+      <key>NSAllowsArbitraryLoadsForWebContent</key>
+      <true />
+      <key>NSAllowsLocalNetworking</key>
+      <true />
+      <key>NSExceptionDomains</key>
+      <dict>
+        <key>example.com</key>
+        <dict>
+          <key>NSExceptionAllowsInsecureHTTPLoads</key>
+          <true />
+          <key>NSExceptionMinimumTLSVersion</key>
+          <string>TLSv1.0</string>
+        </dict>
+      </dict>
     </dict>
+
+    <key>UIFileSharingEnabled</key>
+    <true />
+    <key>LSSupportsOpeningDocumentsInPlace</key>
+    <true />
   </dict>
 </plist>

package/test/fixtures/monorepo/apps/rn/android/app/AndroidManifest.xml

@@ -1,3 +1,29 @@
-<manifest>
-  <application android:usesCleartextTraffic="true"></application>
+<manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.rn">
+  <uses-permission android:name="android.permission.CAMERA" />
+  <uses-permission android:name="android.permission.RECORD_AUDIO" />
+  <uses-permission android:name="android.permission.READ_SMS" />
+  <uses-permission android:name="android.permission.SEND_SMS" />
+  <uses-permission android:name="android.permission.READ_CONTACTS" />
+  <uses-permission android:name="android.permission.WRITE_CONTACTS" />
+  <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
+  <uses-permission android:name="android.permission.ACCESS_BACKGROUND_LOCATION" />
+  <uses-permission android:name="android.permission.READ_PHONE_STATE" />
+  <uses-permission android:name="android.permission.READ_CALL_LOG" />
+  <uses-permission android:name="android.permission.WRITE_CALL_LOG" />
+  <uses-permission android:name="android.permission.MANAGE_EXTERNAL_STORAGE" />
+  <uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />
+  <uses-permission android:name="android.permission.REQUEST_INSTALL_PACKAGES" />
+  <uses-permission android:name="android.permission.PACKAGE_USAGE_STATS" />
+  <uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
+
+  <application
+    android:usesCleartextTraffic="true"
+    android:debuggable="true"
+    android:allowBackup="true"
+    android:networkSecurityConfig="@xml/network_security_config"
+    android:requestLegacyExternalStorage="true">
+    <activity android:name=".MainActivity" android:exported="true" />
+    <receiver android:name=".MyReceiver" android:exported="true" />
+    <service android:name=".MyService" android:exported="true" />
+  </application>
 </manifest>

package/test/fixtures/monorepo/apps/rn/app.entitlements

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plist version="1.0">
+  <dict>
+    <key>com.apple.developer.associated-domains</key>
+    <array>
+      <string>applinks:example.com</string>
+    </array>
+
+    <key>get-task-allow</key>
+    <true />
+
+    <key>keychain-access-groups</key>
+    <array>
+      <string>$(AppIdentifierPrefix)com.example.rn</string>
+    </array>
+  </dict>
+</plist>

package/test/fixtures/monorepo/apps/rn/src/rn-rules.ts

@@ -0,0 +1,38 @@
+export function triggerReactNativeRulesFixture() {
+  const snippets = [
+    'allowDeviceCredentials: true',
+    '__DEV__',
+    'debug: true',
+    "AsyncStorage.setItem('token', 'secret')",
+    "AsyncStorage.getItem('token')",
+    "fetch('http://example.com')",
+    "baseURL: 'http://example.com'",
+    "console.log('token', 'secret')",
+    'file://etc/passwd',
+    "Clipboard.setString('secret')",
+    'Pasteboard',
+    'Linking.getInitialURL()',
+    "Linking.openURL('http://example.com')",
+    "Linking.addEventListener('url', () => {})",
+    'remote debugging',
+    'Debug JS Remotely',
+    'new MMKV()',
+    'kSecAttrAccessibleAlways',
+    'MD5',
+    'SHA1',
+    'Math.random()',
+    "originWhitelist = ['*']",
+    "mixedContentMode = 'always'",
+    'javaScriptEnabled = { true }',
+    'domStorageEnabled = { true }',
+    "injectedJavaScript = '...';",
+    'sharedCookiesEnabled = {true}',
+    'thirdPartyCookiesEnabled = {true}',
+    'onMessage = () => {}',
+    "postMessage('hello')",
+    "uri: 'http://example.com'",
+    'allowlist',
+  ]
+
+  return snippets.join('\n')
+}

package/test/reactNativeRulesetCoverage.test.js

@@ -0,0 +1,33 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const test = require('node:test')
+
+const { scanProject } = require('../dist/index.js')
+
+test('react-native ruleset has fixture coverage', async () => {
+  const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'rn')
+  const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'react-native', 'rules.json')
+
+  const raw = await fs.readFile(rulesPath, 'utf8')
+  const rules = JSON.parse(raw)
+
+  assert.ok(Array.isArray(rules))
+  assert.ok(rules.length >= 60, `Expected at least 60 react-native rules, got ${rules.length}`)
+
+  const expectedIds = rules.map((r) => r.id)
+  const result = await scanProject({
+    rootDir: fixtureRoot,
+    pathBaseDir: fixtureRoot,
+    additionalRules: rules,
+  })
+
+  const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
+  const missing = expectedIds.filter((id) => !foundIds.has(id))
+
+  assert.equal(
+    missing.length,
+    0,
+    `Missing react-native fixture coverage for: ${missing.join(', ')}`,
+  )
+})

package/test/sveltekitRulesetCoverage.test.js

@@ -0,0 +1,29 @@
+const assert = require('node:assert/strict')
+const fs = require('node:fs/promises')
+const path = require('node:path')
+const test = require('node:test')
+
+const { scanProject } = require('../dist/index.js')
+
+test('sveltekit ruleset has fixture coverage', async () => {
+  const fixtureRoot = path.join(__dirname, 'fixtures', 'monorepo', 'apps', 'kit')
+  const rulesPath = path.join(__dirname, '..', '..', 'rulesets', 'sveltekit', 'rules.json')
+
+  const raw = await fs.readFile(rulesPath, 'utf8')
+  const rules = JSON.parse(raw)
+
+  assert.ok(Array.isArray(rules))
+  assert.ok(rules.length >= 60, `Expected at least 60 sveltekit rules, got ${rules.length}`)
+
+  const expectedIds = rules.map((r) => r.id)
+  const result = await scanProject({
+    rootDir: fixtureRoot,
+    pathBaseDir: fixtureRoot,
+    additionalRules: rules,
+  })
+
+  const foundIds = new Set(result.findings.map((finding) => finding.ruleId))
+  const missing = expectedIds.filter((id) => !foundIds.has(id))
+
+  assert.equal(missing.length, 0, `Missing sveltekit fixture coverage for: ${missing.join(', ')}`)
+})