npm - @ship-safe/cli - Versions diffs - 1.1.3 → 1.1.5 - Mend

@ship-safe/cli 1.1.3 → 1.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +30 -5
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -4210,7 +4210,8 @@ var NEXTJS_RULES = [
       { regex: "export\\s+(?:async\\s+)?function\\s+(?:GET|POST|PUT|DELETE|PATCH)\\s*\\(", type: "match" }
     ],
     excludePatterns: [
-      { regex: "(?:auth|session|token|clerk|getAuth|currentUser|requireAuth|protect|webhook|public|health)", type: "context_line" }
+      { regex: "(?:auth|session|token|clerk|getAuth|currentUser|requireAuth|protect|webhook|public|health)", type: "context_line" },
+      { regex: "(?:webhook|callback|health|cron|stripe|checkout|unsubscribe|contact|export|badge)", type: "file_path" }
     ],
     fix: { description: "Add authentication to your API route. Use middleware or check the session at the start of each handler.", suggestion: "const { userId } = auth();\nif (!userId) return new Response('Unauthorized', { status: 401 });" }
   },
@@ -4893,6 +4894,10 @@ var XSS_RULES = [
     owasp: "A03:2021",
     languages: ["javascript", "typescript"],
     patterns: [{ regex: "dangerouslySetInnerHTML", type: "match" }],
+    excludePatterns: [
+      { regex: "(?:json-ld|jsonLd|structured-data|schema\\.org|ld\\+json|localStorage|theme|nonce|suppressHydration|DOMPurify|sanitize)", type: "context_line" },
+      { regex: "(?:json-ld|jsonld|structured-data)", type: "file_path" }
+    ],
     fix: { description: "Avoid dangerouslySetInnerHTML. If you must use it, sanitize the HTML with DOMPurify or a similar library first." }
   },
   {
@@ -5574,10 +5579,12 @@ var HEADERS_RULES = [
     owasp: "A10:2021",
     languages: ["javascript", "typescript"],
     patterns: [
-      { regex: "fetch\\s*\\(\\s*(?:req\\.(?:body|query)|params|input|url|body|userUrl|targetUrl)", type: "match" },
+      { regex: "\\bfetch\\s*\\(\\s*(?:req\\.(?:body|query)|params|input|url|body|userUrl|targetUrl)", type: "match" },
       { regex: "axios\\.(?:get|post|request)\\s*\\(\\s*(?:req\\.(?:body|query)|params|input|url|body|userUrl)", type: "match" }
     ],
-    excludePatterns: [{ regex: "(?:169\\.254|metadata|validateUrl|isValidUrl|blockInternal|isInternalIp|allowedDomains|whitelist)", type: "context_line" }],
+    excludePatterns: [
+      { regex: "(?:169\\.254|metadata|validateUrl|isValidUrl|blockInternal|isInternalIp|allowedDomains|whitelist|resolveAndValidate|safeFetch|pinnedUrl|ssrf)", type: "context_line" }
+    ],
     fix: { description: "Block requests to cloud metadata IPs (169.254.169.254, fd00::, 10.x, 172.16-31.x, 192.168.x) before fetching user-provided URLs.", suggestion: "if (isInternalIP(url)) throw new Error('Internal URLs not allowed')" }
   },
   {
@@ -5590,10 +5597,10 @@ var HEADERS_RULES = [
     owasp: "A10:2021",
     languages: ["javascript", "typescript"],
     patterns: [
-      { regex: "fetch\\s*\\(\\s*(?:req|request|ctx)\\.(?:body|query|params)\\.\\w+\\s*\\)", type: "match" },
+      { regex: "\\bfetch\\s*\\(\\s*(?:req|request|ctx)\\.(?:body|query|params)\\.\\w+\\s*\\)", type: "match" },
       { regex: "new\\s+URL\\s*\\(\\s*(?:req|request|ctx)\\.(?:body|query|params)\\.(?:url|target|link|href)", type: "match" }
     ],
-    excludePatterns: [{ regex: "(?:isInternalIp|blockPrivate|127\\.0\\.0|10\\.|172\\.16|192\\.168|validateUrl|allowedHosts|dnsResolve)", type: "context_line" }],
+    excludePatterns: [{ regex: "(?:isInternalIp|blockPrivate|127\\.0\\.0|10\\.|172\\.16|192\\.168|validateUrl|allowedHosts|dnsResolve|resolveAndValidate|safeFetch|pinnedUrl|ssrf)", type: "context_line" }],
     fix: { description: "Validate user URLs by resolving DNS and checking the IP is not in a private range before making the request." }
   }
 ];
@@ -5819,10 +5826,26 @@ function extractSnippet(content, line, contextLines = 5) {
     return `${marker} ${lineNum} | ${l}`;
   }).join("\n");
 }
+function isCommentLine(line) {
+  const trimmed = line.trim();
+  return trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("/*") || trimmed.startsWith("* ") || trimmed.startsWith("*/") || trimmed === "*" || trimmed.startsWith("<!--");
+}
+function isInsideStringLiteral(line, pattern) {
+  const match = pattern.exec(line);
+  if (!match) return false;
+  const idx = match.index;
+  pattern.lastIndex = 0;
+  let backtickCount = 0;
+  for (let i = 0; i < idx; i++) {
+    if (line[i] === "`" && (i === 0 || line[i - 1] !== "\\")) backtickCount++;
+  }
+  return backtickCount % 2 === 1;
+}
 function matchRule(rule, file) {
   if (!rule.languages.includes("*") && !rule.languages.includes(file.language)) {
     return [];
   }
+  const isSecretRule = rule.id.startsWith("secrets/");
   const findings = [];
   const lines = file.content.split("\n");
   for (const pattern of rule.patterns) {
@@ -5832,6 +5855,8 @@ function matchRule(rule, file) {
       const line = lines[i];
       if (!regex.test(line)) continue;
       regex.lastIndex = 0;
+      if (!isSecretRule && isCommentLine(line)) continue;
+      if (!isSecretRule && isInsideStringLiteral(line, new RegExp(pattern.regex, "gi"))) continue;
       if (rule.excludePatterns?.length) {
         const excluded = rule.excludePatterns.some((ep) => {
           const exRegex = new RegExp(ep.regex, "i");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ship-safe/cli",
-  "version": "1.1.3",
+  "version": "1.1.5",
   "description": "Security scanner for AI-generated code — find vulnerabilities before you ship",
   "type": "module",
   "license": "MIT",