@ship-safe/cli 1.1.3 → 1.1.7

package/dist/index.js

@@ -4210,7 +4210,8 @@ var NEXTJS_RULES = [
       { regex: "export\\s+(?:async\\s+)?function\\s+(?:GET|POST|PUT|DELETE|PATCH)\\s*\\(", type: "match" }
     ],
     excludePatterns: [
-      { regex: "(?:auth|session|token|clerk|getAuth|currentUser|requireAuth|protect|webhook|public|health)", type: "context_line" }
+      { regex: "(?:auth|session|token|clerk|getAuth|currentUser|requireAuth|protect|webhook|public|health)", type: "context_line" },
+      { regex: "(?:webhook|callback|health|cron|stripe|checkout|unsubscribe|contact|export|badge|cli\\/)", type: "file_path" }
     ],
     fix: { description: "Add authentication to your API route. Use middleware or check the session at the start of each handler.", suggestion: "const { userId } = auth();\nif (!userId) return new Response('Unauthorized', { status: 401 });" }
   },
@@ -4714,7 +4715,10 @@ var SECRET_RULES = [
     owasp: "A07:2021",
     languages: ["*"],
     patterns: [{ regex: `(?:password|passwd|pwd)\\s*[:=]\\s*["']([^\\s"']{8,})["']`, type: "match" }],
-    excludePatterns: [{ regex: "(?:example|test|fake|dummy|placeholder|password123|changeme|process\\.env|import\\.meta\\.env|type|interface|schema|validation|zod|yup)", type: "context_line" }],
+    excludePatterns: [
+      { regex: "(?:example|test|fake|dummy|placeholder|password123|changeme|process\\.env|import\\.meta\\.env|type|interface|schema|validation|zod|yup)", type: "context_line" },
+      { regex: "(?:admin123|admin|default|sample|secret123|qwerty|letmein|welcome|monkey|dragon|master|1234|abcd)", type: "context_line" }
+    ],
     fix: { description: "Remove hardcoded passwords. Use environment variables or a secrets manager." }
   },
   {
@@ -4893,6 +4897,10 @@ var XSS_RULES = [
     owasp: "A03:2021",
     languages: ["javascript", "typescript"],
     patterns: [{ regex: "dangerouslySetInnerHTML", type: "match" }],
+    excludePatterns: [
+      { regex: "(?:json-ld|jsonLd|structured-data|schema\\.org|ld\\+json|localStorage|theme|nonce|suppressHydration|DOMPurify|sanitize)", type: "context_line" },
+      { regex: "(?:json-ld|jsonld|structured-data|layout\\.tsx|layout\\.jsx|_document\\.tsx|_document\\.jsx)", type: "file_path" }
+    ],
     fix: { description: "Avoid dangerouslySetInnerHTML. If you must use it, sanitize the HTML with DOMPurify or a similar library first." }
   },
   {
@@ -4905,6 +4913,10 @@ var XSS_RULES = [
     owasp: "A03:2021",
     languages: ["javascript", "typescript"],
     patterns: [{ regex: "document\\.write\\s*\\(", type: "match" }],
+    excludePatterns: [
+      { regex: "(?:pdf|print|export|report|window\\.open)", type: "context_line" },
+      { regex: "(?:pdf|print|export)", type: "file_path" }
+    ],
     fix: { description: "Replace document.write() with DOM manipulation methods like createElement() and appendChild()." }
   },
   {
@@ -5034,6 +5046,10 @@ var PII_RULES = [
     owasp: "A09:2021",
     languages: ["javascript", "typescript"],
     patterns: [{ regex: "console\\.log\\s*\\(.*(?:email|user\\.email|userEmail)", type: "match" }],
+    excludePatterns: [
+      { regex: "(?:chalk|ora|spinner|ink|inquirer|readline|prompt|display|print|show)", type: "context_line" },
+      { regex: "(?:cli\\/|commands\\/|bin\\/)", type: "file_path" }
+    ],
     fix: { description: "Avoid logging email addresses or other PII. If needed for debugging, mask the email." }
   },
   {
@@ -5046,6 +5062,10 @@ var PII_RULES = [
     owasp: "A09:2021",
     languages: ["javascript", "typescript"],
     patterns: [{ regex: "console\\.(?:log|info|debug|warn)\\s*\\(.*(?:password|token|secret|creditCard|ssn|socialSecurity)", type: "match" }],
+    excludePatterns: [
+      { regex: "(?:not set|missing|undefined|required|invalid|expired|failed|error|skipping)", type: "context_line" },
+      { regex: "(?:cli\\/|commands\\/|bin\\/)", type: "file_path" }
+    ],
     fix: { description: "Remove console logging of sensitive data before deploying to production." }
   },
   {
@@ -5091,7 +5111,10 @@ var AUTHZ_RULES = [
     owasp: "A01:2021",
     languages: ["javascript", "typescript"],
     patterns: [{ regex: `(?:isAdmin|role\\s*===?\\s*["']admin|user\\.role|hasPermission|isAuthorized)\\s*(?:\\)|&&|;|\\?)`, type: "match" }],
-    excludePatterns: [{ regex: "(?:middleware|server|api|route\\.ts|route\\.js|\\bGET\\b|\\bPOST\\b|\\bPUT\\b|\\bDELETE\\b)", type: "file_path" }],
+    excludePatterns: [
+      { regex: "(?:middleware|server|api|route\\.ts|route\\.js|\\bGET\\b|\\bPOST\\b|\\bPUT\\b|\\bDELETE\\b)", type: "file_path" },
+      { regex: "(?:useQuery|useConvex|useMutation|convex|trpc|graphql|useSWR|useSession|getServerSession|className|disabled|hidden|opacity|hidden|display|render|show|visible)", type: "context_line" }
+    ],
     fix: { description: "Always enforce admin/role checks on the server side (API routes or middleware), not just in the frontend. Client-side checks are for UI only." }
   },
   {
@@ -5561,7 +5584,10 @@ var HEADERS_RULES = [
       { regex: "(?:login|signin|sign-in|signup|sign-up|register|reset-password|forgot-password|verify-email).*(?:POST|post|handler|action)", type: "match" },
       { regex: "(?:POST|post|handler|action).*(?:login|signin|sign-in|signup|sign-up|register|reset-password|forgot-password)", type: "match" }
     ],
-    excludePatterns: [{ regex: "(?:rateLimit|rateLimiter|throttle|limiter|upstash|slowDown|brute|attempts)", type: "context_line" }],
+    excludePatterns: [
+      { regex: "(?:rateLimit|rateLimiter|throttle|limiter|upstash|slowDown|brute|attempts)", type: "context_line" },
+      { regex: "(?:cli\\/|commands\\/|bin\\/|desktop\\/|electron\\/)", type: "file_path" }
+    ],
     fix: { description: "Add rate limiting to all authentication endpoints. Limit login attempts per IP and per account to prevent brute force attacks.", suggestion: "const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5 })" }
   },
   {
@@ -5574,10 +5600,12 @@ var HEADERS_RULES = [
     owasp: "A10:2021",
     languages: ["javascript", "typescript"],
     patterns: [
-      { regex: "fetch\\s*\\(\\s*(?:req\\.(?:body|query)|params|input|url|body|userUrl|targetUrl)", type: "match" },
+      { regex: "\\bfetch\\s*\\(\\s*(?:req\\.(?:body|query)|params|input|url|body|userUrl|targetUrl)", type: "match" },
       { regex: "axios\\.(?:get|post|request)\\s*\\(\\s*(?:req\\.(?:body|query)|params|input|url|body|userUrl)", type: "match" }
     ],
-    excludePatterns: [{ regex: "(?:169\\.254|metadata|validateUrl|isValidUrl|blockInternal|isInternalIp|allowedDomains|whitelist)", type: "context_line" }],
+    excludePatterns: [
+      { regex: "(?:169\\.254|metadata|validateUrl|isValidUrl|blockInternal|isInternalIp|allowedDomains|whitelist|resolveAndValidate|safeFetch|pinnedUrl|ssrf)", type: "context_line" }
+    ],
     fix: { description: "Block requests to cloud metadata IPs (169.254.169.254, fd00::, 10.x, 172.16-31.x, 192.168.x) before fetching user-provided URLs.", suggestion: "if (isInternalIP(url)) throw new Error('Internal URLs not allowed')" }
   },
   {
@@ -5590,10 +5618,10 @@ var HEADERS_RULES = [
     owasp: "A10:2021",
     languages: ["javascript", "typescript"],
     patterns: [
-      { regex: "fetch\\s*\\(\\s*(?:req|request|ctx)\\.(?:body|query|params)\\.\\w+\\s*\\)", type: "match" },
+      { regex: "\\bfetch\\s*\\(\\s*(?:req|request|ctx)\\.(?:body|query|params)\\.\\w+\\s*\\)", type: "match" },
       { regex: "new\\s+URL\\s*\\(\\s*(?:req|request|ctx)\\.(?:body|query|params)\\.(?:url|target|link|href)", type: "match" }
     ],
-    excludePatterns: [{ regex: "(?:isInternalIp|blockPrivate|127\\.0\\.0|10\\.|172\\.16|192\\.168|validateUrl|allowedHosts|dnsResolve)", type: "context_line" }],
+    excludePatterns: [{ regex: "(?:isInternalIp|blockPrivate|127\\.0\\.0|10\\.|172\\.16|192\\.168|validateUrl|allowedHosts|dnsResolve|resolveAndValidate|safeFetch|pinnedUrl|ssrf)", type: "context_line" }],
     fix: { description: "Validate user URLs by resolving DNS and checking the IP is not in a private range before making the request." }
   }
 ];
@@ -5716,7 +5744,10 @@ var CLIENT_RULES = [
       { regex: "(?:res|response)\\.(?:json|send|status)\\s*\\([^)]*(?:error\\.stack|error\\.message|err\\.stack|err\\.message|e\\.stack)", type: "match" },
       { regex: "NextResponse\\.json\\s*\\(\\s*\\{[^}]*(?:error\\.stack|error\\.message|err\\.stack|err\\.message)", type: "match" }
     ],
-    excludePatterns: [{ regex: "(?:development|dev|NODE_ENV|process\\.env)", type: "context_line" }],
+    excludePatterns: [
+      { regex: "(?:development|dev|NODE_ENV|process\\.env)", type: "context_line" },
+      { regex: "(?:startsWith|includes|===|!==|Quota|limit|Unauthorized|Invalid)", type: "context_line" }
+    ],
     fix: { description: "Return a generic error message to users (e.g. 'Something went wrong'). Log the full error server-side with console.error() for debugging. Never send stack traces or internal error messages in API responses." }
   },
   {
@@ -5749,7 +5780,7 @@ var CLIENT_RULES = [
     ],
     excludePatterns: [
       { regex: "(?:csrf|xsrf|_token|csrfToken|validateToken|SameSite|clerk|auth\\(\\)|getAuth|currentUser|getSession)", type: "context_line" },
-      { regex: "(?:api/webhook|api/stripe|api/clerk|api/cron|api/internal)", type: "file_path" }
+      { regex: "(?:api/webhook|api/stripe|api/clerk|api/cron|api/internal|api/cli|api/checkout|api/contact|api/unsubscribe)", type: "file_path" }
     ],
     fix: { description: "Add CSRF protection: use SameSite=Strict cookies, verify a CSRF token header, or use a framework that handles this automatically (e.g. Next.js Server Actions have built-in CSRF protection)." }
   }
@@ -5819,10 +5850,30 @@ function extractSnippet(content, line, contextLines = 5) {
     return `${marker} ${lineNum} | ${l}`;
   }).join("\n");
 }
+function isCommentLine(line) {
+  const trimmed = line.trim();
+  return trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("/*") || trimmed.startsWith("* ") || trimmed.startsWith("*/") || trimmed === "*" || trimmed.startsWith("<!--");
+}
+function isInsideStringLiteral(line, pattern) {
+  const match = pattern.exec(line);
+  if (!match) return false;
+  const idx = match.index;
+  pattern.lastIndex = 0;
+  let backtickCount = 0;
+  for (let i = 0; i < idx; i++) {
+    if (line[i] === "`" && (i === 0 || line[i - 1] !== "\\")) backtickCount++;
+  }
+  return backtickCount % 2 === 1;
+}
 function matchRule(rule, file) {
   if (!rule.languages.includes("*") && !rule.languages.includes(file.language)) {
     return [];
   }
+  const isSecretRule = rule.id.startsWith("secrets/");
+  if (!isSecretRule) {
+    const docPaths = /(?:\/docs\/|\/examples\/|\/fixtures\/|__tests__\/fixtures)/i;
+    if (docPaths.test(file.path)) return [];
+  }
   const findings = [];
   const lines = file.content.split("\n");
   for (const pattern of rule.patterns) {
@@ -5832,6 +5883,8 @@ function matchRule(rule, file) {
       const line = lines[i];
       if (!regex.test(line)) continue;
       regex.lastIndex = 0;
+      if (!isSecretRule && isCommentLine(line)) continue;
+      if (!isSecretRule && isInsideStringLiteral(line, new RegExp(pattern.regex, "gi"))) continue;
       if (rule.excludePatterns?.length) {
         const excluded = rule.excludePatterns.some((ep) => {
           const exRegex = new RegExp(ep.regex, "i");
@@ -7475,10 +7528,10 @@ import { homedir as homedir2 } from "os";
 import { join as join3 } from "path";
 var HISTORY_DIR = join3(homedir2(), ".shipsafe", "scans");
 function fingerprint(f) {
-  return createHash2("md5").update(`${f.ruleId}:${f.file}`).digest("hex");
+  return createHash2("sha256").update(`${f.ruleId}:${f.file}`).digest("hex");
 }
 function historyPath(scanPath) {
-  const hash = createHash2("md5").update(scanPath).digest("hex");
+  const hash = createHash2("sha256").update(scanPath).digest("hex");
   return join3(HISTORY_DIR, `${hash}.json`);
 }
 function diffWithPrevious(scanPath, currentFindings) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ship-safe/cli",
-  "version": "1.1.3",
+  "version": "1.1.7",
   "description": "Security scanner for AI-generated code — find vulnerabilities before you ship",
   "type": "module",
   "license": "MIT",