guardvibe 0.8.1 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/data/rules/auth.d.ts.map +1 -1
- package/build/data/rules/auth.js +6 -15
- package/build/data/rules/auth.js.map +1 -1
- package/build/data/rules/core.js +3 -3
- package/build/data/rules/core.js.map +1 -1
- package/build/data/rules/database.d.ts.map +1 -1
- package/build/data/rules/database.js +5 -14
- package/build/data/rules/database.js.map +1 -1
- package/build/data/rules/index.d.ts.map +1 -1
- package/build/data/rules/index.js +6 -0
- package/build/data/rules/index.js.map +1 -1
- package/build/data/rules/nextjs.js +1 -1
- package/build/data/rules/nextjs.js.map +1 -1
- package/build/data/rules/payments.d.ts +3 -0
- package/build/data/rules/payments.d.ts.map +1 -0
- package/build/data/rules/payments.js +111 -0
- package/build/data/rules/payments.js.map +1 -0
- package/build/data/rules/services.d.ts +3 -0
- package/build/data/rules/services.d.ts.map +1 -0
- package/build/data/rules/services.js +135 -0
- package/build/data/rules/services.js.map +1 -0
- package/build/data/rules/web-security.d.ts +3 -0
- package/build/data/rules/web-security.d.ts.map +1 -0
- package/build/data/rules/web-security.js +169 -0
- package/build/data/rules/web-security.js.map +1 -0
- package/build/index.js +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EA0GnC,CAAC"}
|
package/build/data/rules/auth.js
CHANGED
|
@@ -6,31 +6,22 @@ export const authRules = [
|
|
|
6
6
|
severity: "high",
|
|
7
7
|
owasp: "A01:2025 Broken Access Control",
|
|
8
8
|
description: "Route handler accesses database without authentication check. Anyone can call this endpoint.",
|
|
9
|
-
pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
|
|
9
|
+
pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|isAuthenticated|verifyToken|checkAuth|protect)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
|
|
10
10
|
languages: ["javascript", "typescript"],
|
|
11
11
|
fix: "Add authentication check at the start of every route handler that accesses data.",
|
|
12
12
|
fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n const { userId } = await auth();\n if (!userId) return new Response("Unauthorized", { status: 401 });\n const data = await db.query(...);\n}',
|
|
13
13
|
compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(d)"],
|
|
14
14
|
},
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
severity: "high",
|
|
19
|
-
owasp: "A01:2025 Broken Access Control",
|
|
20
|
-
description: "Importing auth() from Clerk without clerkMiddleware configured. auth() returns empty data without middleware.",
|
|
21
|
-
pattern: /import\s*\{[^}]*\bauth\b[^}]*\}\s*from\s*["']@clerk\/nextjs\/server["']/g,
|
|
22
|
-
languages: ["javascript", "typescript"],
|
|
23
|
-
fix: "Ensure clerkMiddleware() is configured in proxy.ts (Next.js 16) or middleware.ts.",
|
|
24
|
-
fixCode: '// proxy.ts or middleware.ts\nimport { clerkMiddleware } from "@clerk/nextjs/server";\nexport default clerkMiddleware();',
|
|
25
|
-
compliance: ["SOC2:CC6.6"],
|
|
26
|
-
},
|
|
15
|
+
// VG421 removed — "Auth Without Middleware" requires project-level filesystem
|
|
16
|
+
// check (does middleware.ts/proxy.ts exist?) which regex-based scanning cannot do.
|
|
17
|
+
// Will be reimplemented as a project-level advisory in scan_directory.
|
|
27
18
|
{
|
|
28
19
|
id: "VG422",
|
|
29
20
|
name: "Clerk Secret Key Client Exposure",
|
|
30
21
|
severity: "critical",
|
|
31
22
|
owasp: "A07:2025 Sensitive Data Exposure",
|
|
32
23
|
description: "CLERK_SECRET_KEY is accessed in client-side code. This key grants full API access to your Clerk account.",
|
|
33
|
-
pattern: /["']use client["'][\s\S]
|
|
24
|
+
pattern: /["']use client["'][\s\S]{0,500}?CLERK_SECRET_KEY/g,
|
|
34
25
|
languages: ["javascript", "typescript"],
|
|
35
26
|
fix: "Never access CLERK_SECRET_KEY in client components. Use it only in server-side code.",
|
|
36
27
|
fixCode: '// Server-side only\nimport { clerkClient } from "@clerk/nextjs/server";\nconst users = await clerkClient.users.getUserList();',
|
|
@@ -78,7 +69,7 @@ export const authRules = [
|
|
|
78
69
|
severity: "high",
|
|
79
70
|
owasp: "A01:2025 Broken Access Control",
|
|
80
71
|
description: "Admin or dashboard route handler does not verify user role or permissions.",
|
|
81
|
-
pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole)[\s\S])*?\}/g,
|
|
72
|
+
pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole|requireAdmin|requireRole|adminOnly)[\s\S])*?\}/g,
|
|
82
73
|
languages: ["javascript", "typescript"],
|
|
83
74
|
fix: "Always verify user roles and permissions in admin routes.",
|
|
84
75
|
fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n const { userId, orgRole } = await auth();\n if (orgRole !== "org:admin") {\n return new Response("Forbidden", { status: 403 });\n }\n}',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8IAA8I;QAChJ,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
package/build/data/rules/core.js
CHANGED
|
@@ -7,7 +7,7 @@ export const coreRules = [
|
|
|
7
7
|
severity: "critical",
|
|
8
8
|
owasp: "A01:2025 Broken Access Control",
|
|
9
9
|
description: "Hardcoded passwords, API keys, or secrets detected in source code.",
|
|
10
|
-
pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|
|
|
10
|
+
pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|auth_?token)\w*\s*[:=]\s*['"][^'"]{3,}['"]/gi,
|
|
11
11
|
languages: ["javascript", "typescript", "python", "go"],
|
|
12
12
|
fix: "Use environment variables (process.env.SECRET) or a secrets manager. Never commit credentials to source code.",
|
|
13
13
|
fixCode: "// Use environment variables instead\nconst password = process.env.DB_PASSWORD;\nconst apiKey = process.env.API_KEY;",
|
|
@@ -162,7 +162,7 @@ export const coreRules = [
|
|
|
162
162
|
severity: "medium",
|
|
163
163
|
owasp: "A05:2025 Security Misconfiguration",
|
|
164
164
|
description: "Debug mode or verbose error messages exposed in production.",
|
|
165
|
-
pattern: /(?:DEBUG\s*[:=]\s*['"]?(?:true|\*)|console\.log\(.*(?:password|
|
|
165
|
+
pattern: /(?:DEBUG\s*[:=]\s*['"]?(?:true|\*)|console\.log\(.*(?:password|secret_?key|api_?key|private_?key|auth_?token))/gi,
|
|
166
166
|
languages: ["javascript", "typescript", "python"],
|
|
167
167
|
fix: "Disable debug mode in production. Never expose stack traces to users.",
|
|
168
168
|
fixCode: "// Use environment-based config\nconst DEBUG = process.env.NODE_ENV !== 'production';",
|
|
@@ -232,7 +232,7 @@ export const coreRules = [
|
|
|
232
232
|
severity: "high",
|
|
233
233
|
owasp: "A10:2025 SSRF",
|
|
234
234
|
description: "User-supplied URLs passed to fetch/request functions can be used for SSRF attacks.",
|
|
235
|
-
pattern: /(?:fetch|axios|request|http\.get|urllib|requests\.get)\s*\(\s*(?:req\.|request\.|body
|
|
235
|
+
pattern: /(?:fetch|axios|request|http\.get|urllib|requests\.get)\s*\(\s*(?:req\.(?:body|query|params)\.|request\.(?:body|query)\.|body\.\w+|params\.\w+|query\.\w+)/gi,
|
|
236
236
|
languages: ["javascript", "typescript", "python", "go"],
|
|
237
237
|
fix: "Validate and allowlist URLs before making requests. Block internal IP ranges.",
|
|
238
238
|
fixCode: "// Validate URL against allowlist\nconst allowed = ['https://api.example.com'];\nconst url = new URL(input);\nif (!allowed.some(a => url.origin === a)) throw new Error('Blocked');",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAEA,6EAA6E;AAC7E,6EAA6E;AAC7E,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oEAAoE;QACjF,OAAO,EACL
|
|
1
|
+
{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAEA,6EAA6E;AAC7E,6EAA6E;AAC7E,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oEAAoE;QACjF,OAAO,EACL,+HAA+H;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,+GAA+G;QACpH,OAAO,EAAE,sHAAsH;QAC/H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,cAAc,EAAE,mBAAmB,CAAC;KAClF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gGAAgG;QAClG,OAAO,EACL,8GAA8G;QAChH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC;QACxE,GAAG,EAAE,8IAA8I;QACnJ,OAAO,EAAE,sIAAsI;QAC/I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,oEAAoE;QACtE,OAAO,EACL,2GAA2G;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uJAAuJ;QAC5J,OAAO,EAAE,2HAA2H;QACpI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,kEAAkE;QACpE,OAAO,EACL,yGAAyG;QAC3G,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,GAAG,EAAE,2IAA2I;QAChJ,OAAO,EAAE,4GAA4G;QACrH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,gQAAgQ;QAClQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,6MAA6M;QAClN,OAAO,EAAE,oKAAoK;QAC7K,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,EAAE,mBAAmB,CAAC;KACpE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,wFAAwF;QACrG,OAAO,EACL,wRAAwR;QAC1R,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC;QAChE,GAAG,EAAE,0MAA0M;QAC/M,OAAO,EAAE,wHAAwH;QACjI,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oFAAoF;QACtF,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,qIAAqI;QAC1I,6FAA6F;QAC7F,OAAO,EAAE,qJAAqJ,GAAG,+CAA+C;QAChN,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EACL,qEAAqE;QACvE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mKAAmK;QACxK,OAAO,EAAE,sHAAsH;QAC/H,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,8DAA8D;QAChE,OAAO,EACL,oGAAoG;QACtG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iIAAiI;QACtI,OAAO,EAAE,+JAA+J;QACxK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,eAAe;QACxB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,4IAA4I,GAAG,6DAA6D;QACrN,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EACT,8FAA8F;QAChG,OAAO,EAAE,2DAA2D;QACpE,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,8FAA8F;QACnG,OAAO,EAAE,sGAAsG;KAChH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,qIAAqI;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,gKAAgK;QACrK,OAAO,EAAE,6IAA6I;KACvJ;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2FAA2F;QAC7F,OAAO,EACL,+IAA+I;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,gHAAgH;QACrH,OAAO,EAAE,yGAAyG;QAClH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EACL,kHAAkH;QACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EAAE,uFAAuF;KACjG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EAAE,sFAAsF;KAChG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,6FAA6F;QAC/F,OAAO,EACL,mLAAmL;QACrL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,kFAAkF;QACvF,OAAO,EAAE,mKAAmK;QAC5K,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,mBAAmB,CAAC;KACtF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,4CAA4C;QACzD,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+EAA+E;QACpF,OAAO,EAAE,0FAA0F;QACnG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iEAAiE;QACnE,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,mKAAmK;QAC5K,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,yEAAyE;QAC3E,OAAO,EACL,mGAAmG;QACrG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,2EAA2E;QAChF,OAAO,EAAE,oHAAoH;QAC7H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EACT,oFAAoF;QACtF,OAAO,EACL,6JAA6J;QAC/J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,+EAA+E;QACpF,OAAO,EAAE,qLAAqL;QAC9L,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0DAA0D;QACvE,OAAO,EACL,+FAA+F;QACjG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+EAA+E;QACpF,OAAO,EAAE,mHAAmH;QAC5H,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,wDAAwD;QACrE,OAAO,EACL,yGAAyG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,wLAAwL;QACjM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qDAAqD;QAClE,OAAO,EACL,iIAAiI;QACnI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,gGAAgG;QACrG,OAAO,EAAE,yJAAyJ;QAClK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kFAAkF;QACpF,OAAO,EACL,sFAAsF;QACxF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oHAAoH;QACzH,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,aAAa,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAuGvC,CAAC"}
|
|
@@ -12,18 +12,9 @@ export const databaseRules = [
|
|
|
12
12
|
fixCode: '// Server-side: use service role key\nconst supabase = createClient(\n process.env.SUPABASE_URL!,\n process.env.SUPABASE_SERVICE_ROLE_KEY!\n);',
|
|
13
13
|
compliance: ["SOC2:CC6.6", "HIPAA:§164.312(a)"],
|
|
14
14
|
},
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
severity: "medium",
|
|
19
|
-
owasp: "A01:2025 Broken Access Control",
|
|
20
|
-
description: "Supabase client queries data. Ensure Row Level Security policies are configured on your tables.",
|
|
21
|
-
pattern: /supabase\s*\.from\s*\(\s*["']\w+["']\s*\)\s*\.(?:select|insert|update|delete|upsert)\s*\(/g,
|
|
22
|
-
languages: ["javascript", "typescript"],
|
|
23
|
-
fix: "Enable Row Level Security (RLS) on all Supabase tables and create appropriate policies.",
|
|
24
|
-
fixCode: "-- Enable RLS on tables\nALTER TABLE posts ENABLE ROW LEVEL SECURITY;\n\nCREATE POLICY \"Users can read own posts\"\n ON posts FOR SELECT\n USING (auth.uid() = user_id);",
|
|
25
|
-
compliance: ["SOC2:CC6.6"],
|
|
26
|
-
},
|
|
15
|
+
// VG431 removed — "Supabase Missing RLS Warning" triggered on every single
|
|
16
|
+
// supabase.from().select() call, creating extreme noise (1000+ hits in real projects).
|
|
17
|
+
// RLS is a database-level config, not detectable from application code patterns.
|
|
27
18
|
{
|
|
28
19
|
id: "VG432",
|
|
29
20
|
name: "Prisma Raw Query Injection",
|
|
@@ -66,7 +57,7 @@ export const databaseRules = [
|
|
|
66
57
|
severity: "critical",
|
|
67
58
|
owasp: "A07:2025 Sensitive Data Exposure",
|
|
68
59
|
description: "DATABASE_URL or DIRECT_URL is accessed in client-side code. This exposes your database connection string to the browser.",
|
|
69
|
-
pattern: /["']use client["'][\s\S]
|
|
60
|
+
pattern: /["']use client["'][\s\S]{0,500}?process\.env\.(?:DATABASE_URL|DIRECT_URL)/g,
|
|
70
61
|
languages: ["javascript", "typescript"],
|
|
71
62
|
fix: "Never access database URLs in client components. Use Server Components or API routes.",
|
|
72
63
|
fixCode: "// Access database only server-side (no 'use client')\nexport default async function Page() {\n const data = await prisma.user.findMany();\n return <UserList users={data} />;\n}",
|
|
@@ -90,7 +81,7 @@ export const databaseRules = [
|
|
|
90
81
|
severity: "critical",
|
|
91
82
|
owasp: "A07:2025 Sensitive Data Exposure",
|
|
92
83
|
description: "SUPABASE_SERVICE_ROLE_KEY is accessed in client-side code. This key bypasses RLS and grants full database access.",
|
|
93
|
-
pattern: /["']use client["'][\s\S]
|
|
84
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:SUPABASE_SERVICE_ROLE_KEY|SERVICE_ROLE)/g,
|
|
94
85
|
languages: ["javascript", "typescript"],
|
|
95
86
|
fix: "Never use the service role key in client code.",
|
|
96
87
|
fixCode: '// Server-side only\n"use server";\nconst adminClient = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY!);',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"database.js","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAEA,uDAAuD;AACvD,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD
|
|
1
|
+
{"version":3,"file":"database.js","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAEA,uDAAuD;AACvD,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD,2EAA2E;IAC3E,uFAAuF;IACvF,iFAAiF;IACjF;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,gIAAgI;QAClI,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,gJAAgJ;QAClJ,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,2HAA2H;QAC7H,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oGAAoG;QACtG,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EAAE,+DAA+D;QACxE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,+JAA+J;QACjK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,4EAA4E;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,qLAAqL;QACvL,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+EAA+E;QACjF,OAAO,EACL,mFAAmF;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,uIAAuI;QACzI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,oHAAoH;QACtH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAc/C,eAAO,MAAM,UAAU,qCAatB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}
|
|
@@ -7,6 +7,9 @@ import { nextjsRules } from "./nextjs.js";
|
|
|
7
7
|
import { authRules } from "./auth.js";
|
|
8
8
|
import { databaseRules } from "./database.js";
|
|
9
9
|
import { deploymentRules } from "./deployment.js";
|
|
10
|
+
import { paymentRules } from "./payments.js";
|
|
11
|
+
import { serviceRules } from "./services.js";
|
|
12
|
+
import { webSecurityRules } from "./web-security.js";
|
|
10
13
|
export const owaspRules = [
|
|
11
14
|
...coreRules,
|
|
12
15
|
...goRules,
|
|
@@ -17,6 +20,9 @@ export const owaspRules = [
|
|
|
17
20
|
...authRules,
|
|
18
21
|
...databaseRules,
|
|
19
22
|
...deploymentRules,
|
|
23
|
+
...paymentRules,
|
|
24
|
+
...serviceRules,
|
|
25
|
+
...webSecurityRules,
|
|
20
26
|
];
|
|
21
27
|
// Alias for clarity — these are the built-in rules without plugins
|
|
22
28
|
export const builtinRules = owaspRules;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;CACpB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
|
|
@@ -6,7 +6,7 @@ export const nextjsRules = [
|
|
|
6
6
|
severity: "critical",
|
|
7
7
|
owasp: "A01:2025 Broken Access Control",
|
|
8
8
|
description: "Server-side environment variable accessed in a 'use client' component. These values are exposed to the browser. Only NEXT_PUBLIC_ variables are safe in client components.",
|
|
9
|
-
pattern: /["']use client["'][\s\S]
|
|
9
|
+
pattern: /["']use client["'][\s\S]{0,500}?process\.env\.(?!NEXT_PUBLIC_)\w+/g,
|
|
10
10
|
languages: ["javascript", "typescript"],
|
|
11
11
|
fix: "Move this logic to a Server Component or Server Action. Only process.env.NEXT_PUBLIC_* variables are available in client components.",
|
|
12
12
|
fixCode: '// Move to a Server Component (no \'use client\')\nexport default async function Page() {\n const secret = process.env.SECRET_KEY;\n return <ClientComponent data={safeData} />;\n}',
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,qDAAqD;QACvD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,sPAAsP;QACxP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0IAA0I;QAC5I,OAAO,EACL,2KAA2K;QAC7K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mEAAmE;QACxE,OAAO,EACL,uMAAuM;QACzM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,uHAAuH;QACzH,OAAO,EACL,4GAA4G;QAC9G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gEAAgE;QACrE,OAAO,EACL,kLAAkL;QACpL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yGAAyG;QAC3G,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,4GAA4G;QAC9G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0HAA0H;QAC5H,OAAO,EACL,6EAA6E;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yHAAyH;QAC3H,OAAO,EACL,4JAA4J;QAC9J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,2FAA2F;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,yNAAyN;QAC3N,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,uLAAuL;QACzL,OAAO,EAAE,qDAAqD;QAC9D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oOAAoO;QACtO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qIAAqI;QACvI,OAAO,EACL,qFAAqF;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yIAAyI;QAC3I,OAAO,EACL,0IAA0I;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EACL,oRAAoR;QACtR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2LAA2L;QAC7L,OAAO,EACL,2EAA2E;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"payments.d.ts","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAiItC,CAAC"}
|
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
export const paymentRules = [
|
|
2
|
+
// Stripe
|
|
3
|
+
{
|
|
4
|
+
id: "VG600",
|
|
5
|
+
name: "Stripe Secret Key Client Exposure",
|
|
6
|
+
severity: "critical",
|
|
7
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
8
|
+
description: "Stripe secret key (sk_live_ or sk_test_) exposed in client-side code. This key can charge any amount to any card.",
|
|
9
|
+
pattern: /["']use client["'][\s\S]{0,500}?sk_(?:live|test)_/g,
|
|
10
|
+
languages: ["javascript", "typescript"],
|
|
11
|
+
fix: "Never use Stripe secret keys in client code. Use them only in server-side API routes.",
|
|
12
|
+
fixCode: "// Server-side only (API route or Server Action)\nimport Stripe from 'stripe';\nconst stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);",
|
|
13
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
id: "VG601",
|
|
17
|
+
name: "Stripe Webhook Missing Signature Verification",
|
|
18
|
+
severity: "critical",
|
|
19
|
+
owasp: "A01:2025 Broken Access Control",
|
|
20
|
+
description: "Stripe webhook endpoint processes events without verifying the webhook signature. Anyone can send fake payment events.",
|
|
21
|
+
pattern: /(?:\/api\/webhook|\/api\/stripe|webhook.*stripe)[\s\S]*?(?:req\.body|request\.json|JSON\.parse)[\s\S]{0,300}?(?![\s\S]{0,300}?(?:constructEvent|verifyHeader|stripe\.webhooks))/g,
|
|
22
|
+
languages: ["javascript", "typescript"],
|
|
23
|
+
fix: "Always verify Stripe webhook signatures using stripe.webhooks.constructEvent().",
|
|
24
|
+
fixCode: "// Verify webhook signature\nconst sig = request.headers.get('stripe-signature')!;\nconst event = stripe.webhooks.constructEvent(\n body, sig, process.env.STRIPE_WEBHOOK_SECRET!\n);",
|
|
25
|
+
compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
id: "VG602",
|
|
29
|
+
name: "Stripe Price Amount Client-Side",
|
|
30
|
+
severity: "high",
|
|
31
|
+
owasp: "A04:2025 Insecure Design",
|
|
32
|
+
description: "Price amount sent from client to server for payment. Users can modify the amount in browser DevTools.",
|
|
33
|
+
pattern: /(?:amount|price|total)\s*[:=]\s*(?:req\.body|request\.body|body\.)[\s\S]{0,100}?(?:stripe|payment|checkout|charge)/gi,
|
|
34
|
+
languages: ["javascript", "typescript"],
|
|
35
|
+
fix: "Always calculate prices server-side. Use Stripe Price IDs or calculate from your database, never trust client-sent amounts.",
|
|
36
|
+
fixCode: "// Use Stripe Price IDs, not client amounts\nconst session = await stripe.checkout.sessions.create({\n line_items: [{ price: 'price_xxx', quantity: 1 }], // Price ID from Stripe dashboard\n});",
|
|
37
|
+
compliance: ["PCI-DSS:Req6.5.1"],
|
|
38
|
+
},
|
|
39
|
+
{
|
|
40
|
+
id: "VG603",
|
|
41
|
+
name: "Hardcoded Stripe Key",
|
|
42
|
+
severity: "critical",
|
|
43
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
44
|
+
description: "Stripe API key hardcoded in source code instead of environment variable.",
|
|
45
|
+
pattern: /(?:stripe|Stripe)\s*\(\s*["']sk_(?:live|test)_[A-Za-z0-9]{10,}["']/g,
|
|
46
|
+
languages: ["javascript", "typescript"],
|
|
47
|
+
fix: "Use environment variables for Stripe keys.",
|
|
48
|
+
fixCode: "const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);",
|
|
49
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
|
|
50
|
+
},
|
|
51
|
+
{
|
|
52
|
+
id: "VG604",
|
|
53
|
+
name: "NEXT_PUBLIC Stripe Secret Key",
|
|
54
|
+
severity: "critical",
|
|
55
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
56
|
+
description: "Stripe secret key exposed via NEXT_PUBLIC_ prefix. Only the publishable key (pk_) should be public.",
|
|
57
|
+
pattern: /NEXT_PUBLIC_\w*STRIPE\w*SECRET/gi,
|
|
58
|
+
languages: ["javascript", "typescript", "shell"],
|
|
59
|
+
fix: "Remove NEXT_PUBLIC_ prefix from Stripe secret key. Only NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY should be public.",
|
|
60
|
+
fixCode: "# .env.local\nSTRIPE_SECRET_KEY=sk_live_xxx # server only\nNEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_live_xxx # safe to expose",
|
|
61
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
|
|
62
|
+
},
|
|
63
|
+
// LemonSqueezy
|
|
64
|
+
{
|
|
65
|
+
id: "VG605",
|
|
66
|
+
name: "LemonSqueezy API Key Exposure",
|
|
67
|
+
severity: "critical",
|
|
68
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
69
|
+
description: "LemonSqueezy API key exposed in client-side code.",
|
|
70
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:LEMONSQUEEZY_API_KEY|LEMON_SQUEEZY_API_KEY)/g,
|
|
71
|
+
languages: ["javascript", "typescript"],
|
|
72
|
+
fix: "Use LemonSqueezy API key only in server-side code.",
|
|
73
|
+
compliance: ["SOC2:CC6.1"],
|
|
74
|
+
},
|
|
75
|
+
{
|
|
76
|
+
id: "VG606",
|
|
77
|
+
name: "LemonSqueezy Webhook Missing Signature",
|
|
78
|
+
severity: "high",
|
|
79
|
+
owasp: "A01:2025 Broken Access Control",
|
|
80
|
+
description: "LemonSqueezy webhook processes events without verifying the X-Signature header.",
|
|
81
|
+
pattern: /(?:lemonsqueezy|lemon.?squeezy)[\s\S]{0,500}?(?:req\.body|request\.json)[\s\S]{0,300}?(?![\s\S]{0,300}?(?:verify|signature|x-signature|hmac|crypto))/gi,
|
|
82
|
+
languages: ["javascript", "typescript"],
|
|
83
|
+
fix: "Verify the X-Signature header using HMAC-SHA256 with your webhook secret.",
|
|
84
|
+
fixCode: "// Verify LemonSqueezy webhook\nimport crypto from 'crypto';\nconst sig = request.headers.get('x-signature');\nconst hash = crypto.createHmac('sha256', process.env.LEMON_SQUEEZY_WEBHOOK_SECRET!)\n .update(body).digest('hex');\nif (sig !== hash) return new Response('Invalid', { status: 401 });",
|
|
85
|
+
compliance: ["SOC2:CC6.6"],
|
|
86
|
+
},
|
|
87
|
+
// Polar.sh
|
|
88
|
+
{
|
|
89
|
+
id: "VG607",
|
|
90
|
+
name: "Polar API Key Exposure",
|
|
91
|
+
severity: "critical",
|
|
92
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
93
|
+
description: "Polar.sh API key or access token exposed in client-side code.",
|
|
94
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:POLAR_ACCESS_TOKEN|POLAR_API_KEY|polar.*(?:access_token|api_key))/gi,
|
|
95
|
+
languages: ["javascript", "typescript"],
|
|
96
|
+
fix: "Use Polar API keys only in server-side code.",
|
|
97
|
+
compliance: ["SOC2:CC6.1"],
|
|
98
|
+
},
|
|
99
|
+
{
|
|
100
|
+
id: "VG608",
|
|
101
|
+
name: "Payment Webhook Missing Auth",
|
|
102
|
+
severity: "high",
|
|
103
|
+
owasp: "A01:2025 Broken Access Control",
|
|
104
|
+
description: "Payment webhook endpoint has no signature verification or authentication. Attackers can fake payment confirmations.",
|
|
105
|
+
pattern: /(?:\/api\/webhook|\/api\/payment|\/api\/checkout)[\s\S]*?export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!verify|signature|constructEvent|hmac|crypto\.createHmac|webhookSecret)[\s\S])*?\}/g,
|
|
106
|
+
languages: ["javascript", "typescript"],
|
|
107
|
+
fix: "Always verify webhook signatures before processing payment events.",
|
|
108
|
+
compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
|
|
109
|
+
},
|
|
110
|
+
];
|
|
111
|
+
//# sourceMappingURL=payments.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"payments.js","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,SAAS;IACT;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,4IAA4I;QAC9I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kLAAkL;QACpL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,uGAAuG;QACzG,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6HAA6H;QAClI,OAAO,EACL,mMAAmM;QACrM,UAAU,EAAE,CAAC,kBAAkB,CAAC;KACjC;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EACL,iFAAiF;QACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oDAAoD;QACzD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iFAAiF;QACnF,OAAO,EACL,wJAAwJ;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,wSAAwS;QAC1S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EACL,wGAAwG;QAC1G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,yMAAyM;QAC3M,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAyItC,CAAC"}
|
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
export const serviceRules = [
|
|
2
|
+
// Resend Email
|
|
3
|
+
{
|
|
4
|
+
id: "VG620",
|
|
5
|
+
name: "Resend API Key Client Exposure",
|
|
6
|
+
severity: "critical",
|
|
7
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
8
|
+
description: "Resend API key exposed in client-side code. This allows anyone to send emails from your account.",
|
|
9
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:RESEND_API_KEY|re_[A-Za-z0-9]{20,})/g,
|
|
10
|
+
languages: ["javascript", "typescript"],
|
|
11
|
+
fix: "Use Resend API key only in server-side code (API routes or Server Actions).",
|
|
12
|
+
fixCode: '"use server";\nimport { Resend } from "resend";\nconst resend = new Resend(process.env.RESEND_API_KEY);',
|
|
13
|
+
compliance: ["SOC2:CC6.1"],
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
id: "VG621",
|
|
17
|
+
name: "Hardcoded Resend API Key",
|
|
18
|
+
severity: "critical",
|
|
19
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
20
|
+
description: "Resend API key hardcoded in source code.",
|
|
21
|
+
pattern: /(?:Resend|resend)\s*\(\s*["']re_[A-Za-z0-9]{10,}["']/g,
|
|
22
|
+
languages: ["javascript", "typescript"],
|
|
23
|
+
fix: "Use environment variable for Resend API key.",
|
|
24
|
+
fixCode: 'const resend = new Resend(process.env.RESEND_API_KEY);',
|
|
25
|
+
compliance: ["SOC2:CC6.1"],
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
id: "VG622",
|
|
29
|
+
name: "Email Content Injection",
|
|
30
|
+
severity: "high",
|
|
31
|
+
owasp: "A03:2025 Injection",
|
|
32
|
+
description: "User input directly used in email headers (to, from, subject, cc, bcc) without validation. Can be used for email injection/spam.",
|
|
33
|
+
pattern: /(?:resend|sendgrid|nodemailer)[\s\S]{0,300}?(?:to|from|cc|bcc|subject)\s*:\s*(?:req\.body|request\.body|body\.|formData\.get|params\.)/gi,
|
|
34
|
+
languages: ["javascript", "typescript"],
|
|
35
|
+
fix: "Validate and sanitize all email fields. Use allowlists for recipient addresses when possible.",
|
|
36
|
+
fixCode: '// Validate email before sending\nimport { z } from "zod";\nconst schema = z.object({ to: z.string().email(), subject: z.string().max(200) });\nconst data = schema.parse(input);',
|
|
37
|
+
compliance: ["SOC2:CC7.1"],
|
|
38
|
+
},
|
|
39
|
+
// Upstash Redis
|
|
40
|
+
{
|
|
41
|
+
id: "VG625",
|
|
42
|
+
name: "Upstash Redis URL Client Exposure",
|
|
43
|
+
severity: "critical",
|
|
44
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
45
|
+
description: "Upstash Redis REST URL or token exposed in client-side code. This gives full access to your Redis database.",
|
|
46
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:UPSTASH_REDIS_REST_URL|UPSTASH_REDIS_REST_TOKEN|KV_REST_API_URL|KV_REST_API_TOKEN)/g,
|
|
47
|
+
languages: ["javascript", "typescript"],
|
|
48
|
+
fix: "Use Upstash Redis only in server-side code.",
|
|
49
|
+
fixCode: '// Server-side only\nimport { Redis } from "@upstash/redis";\nconst redis = Redis.fromEnv(); // reads from env automatically',
|
|
50
|
+
compliance: ["SOC2:CC6.1"],
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
id: "VG626",
|
|
54
|
+
name: "Hardcoded Redis Connection String",
|
|
55
|
+
severity: "critical",
|
|
56
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
57
|
+
description: "Redis connection URL or token hardcoded in source code.",
|
|
58
|
+
pattern: /(?:redis|Redis|upstash)[\s\S]{0,100}?(?:url|token)\s*[:=]\s*["'](?:https?:\/\/|redis:\/\/|rediss:\/\/)[^"']{10,}["']/gi,
|
|
59
|
+
languages: ["javascript", "typescript"],
|
|
60
|
+
fix: "Use environment variables for Redis connection details.",
|
|
61
|
+
compliance: ["SOC2:CC6.1"],
|
|
62
|
+
},
|
|
63
|
+
{
|
|
64
|
+
id: "VG627",
|
|
65
|
+
name: "NEXT_PUBLIC Redis Credentials",
|
|
66
|
+
severity: "critical",
|
|
67
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
68
|
+
description: "Redis credentials exposed via NEXT_PUBLIC_ prefix.",
|
|
69
|
+
pattern: /NEXT_PUBLIC_\w*(?:REDIS|UPSTASH|KV)\w*(?:URL|TOKEN|SECRET)\s*=/gi,
|
|
70
|
+
languages: ["javascript", "typescript", "shell"],
|
|
71
|
+
fix: "Remove NEXT_PUBLIC_ prefix from Redis credentials. Access them only server-side.",
|
|
72
|
+
compliance: ["SOC2:CC6.1"],
|
|
73
|
+
},
|
|
74
|
+
// Pinecone
|
|
75
|
+
{
|
|
76
|
+
id: "VG630",
|
|
77
|
+
name: "Pinecone API Key Client Exposure",
|
|
78
|
+
severity: "critical",
|
|
79
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
80
|
+
description: "Pinecone API key exposed in client-side code. This gives full access to your vector database.",
|
|
81
|
+
pattern: /["']use client["'][\s\S]{0,500}?PINECONE_API_KEY/g,
|
|
82
|
+
languages: ["javascript", "typescript"],
|
|
83
|
+
fix: "Use Pinecone API key only in server-side code.",
|
|
84
|
+
compliance: ["SOC2:CC6.1"],
|
|
85
|
+
},
|
|
86
|
+
{
|
|
87
|
+
id: "VG631",
|
|
88
|
+
name: "NEXT_PUBLIC Pinecone Key",
|
|
89
|
+
severity: "critical",
|
|
90
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
91
|
+
description: "Pinecone API key exposed via NEXT_PUBLIC_ prefix.",
|
|
92
|
+
pattern: /NEXT_PUBLIC_\w*PINECONE\w*(?:KEY|SECRET|TOKEN)\s*=/gi,
|
|
93
|
+
languages: ["javascript", "typescript", "shell"],
|
|
94
|
+
fix: "Remove NEXT_PUBLIC_ prefix. Pinecone keys must be server-side only.",
|
|
95
|
+
compliance: ["SOC2:CC6.1"],
|
|
96
|
+
},
|
|
97
|
+
// PostHog
|
|
98
|
+
{
|
|
99
|
+
id: "VG635",
|
|
100
|
+
name: "PostHog Secret API Key Exposure",
|
|
101
|
+
severity: "critical",
|
|
102
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
103
|
+
description: "PostHog personal/secret API key exposed in client-side code. The project API key is safe to expose, but personal API keys grant full access.",
|
|
104
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:POSTHOG_PERSONAL_API_KEY|phx_[A-Za-z0-9]{20,})/g,
|
|
105
|
+
languages: ["javascript", "typescript"],
|
|
106
|
+
fix: "Only the PostHog project API key (phc_) should be in client code. Personal API keys (phx_) must be server-side only.",
|
|
107
|
+
fixCode: "# Safe to expose (project key)\nNEXT_PUBLIC_POSTHOG_KEY=phc_xxx\n\n# Server-side only (personal key)\nPOSTHOG_PERSONAL_API_KEY=phx_xxx",
|
|
108
|
+
compliance: ["SOC2:CC6.1"],
|
|
109
|
+
},
|
|
110
|
+
{
|
|
111
|
+
id: "VG636",
|
|
112
|
+
name: "Analytics PII Data Exposure",
|
|
113
|
+
severity: "high",
|
|
114
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
115
|
+
description: "Personally identifiable information (email, phone, SSN, credit card) sent to analytics. This violates GDPR/CCPA and platform terms.",
|
|
116
|
+
pattern: /(?:posthog|analytics|gtag|ga)\s*[\.\(][\s\S]{0,200}?(?:capture|track|identify|event|send)\s*\([\s\S]{0,300}?(?:email|phone|ssn|creditCard|password|socialSecurity)/gi,
|
|
117
|
+
languages: ["javascript", "typescript"],
|
|
118
|
+
fix: "Never send PII to analytics. Hash or anonymize user identifiers.",
|
|
119
|
+
fixCode: "// Anonymize before tracking\nposthog.identify(hashedUserId); // not email\nposthog.capture('purchase', { plan: 'pro', amount: 29 }); // no PII",
|
|
120
|
+
compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
|
|
121
|
+
},
|
|
122
|
+
// Google Analytics
|
|
123
|
+
{
|
|
124
|
+
id: "VG637",
|
|
125
|
+
name: "Google Analytics PII Tracking",
|
|
126
|
+
severity: "high",
|
|
127
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
128
|
+
description: "PII data sent to Google Analytics. This violates Google's ToS and privacy regulations.",
|
|
129
|
+
pattern: /(?:gtag|ga|dataLayer\.push)\s*\([\s\S]{0,300}?(?:email|user_email|phone|ssn|password)/gi,
|
|
130
|
+
languages: ["javascript", "typescript"],
|
|
131
|
+
fix: "Never send PII to Google Analytics. Use anonymous IDs.",
|
|
132
|
+
compliance: ["SOC2:CC6.1"],
|
|
133
|
+
},
|
|
134
|
+
];
|
|
135
|
+
//# sourceMappingURL=services.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"services.js","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kGAAkG;QAC/G,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EAAE,yGAAyG;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0CAA0C;QACvD,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,OAAO,EAAE,wDAAwD;QACjE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,kIAAkI;QAC/I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+FAA+F;QACpG,OAAO,EAAE,mLAAmL;QAC5L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6GAA6G;QAC1H,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6CAA6C;QAClD,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yDAAyD;QACtE,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yDAAyD;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oDAAoD;QACjE,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,kFAAkF;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+FAA+F;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EAAE,sDAAsD;QAC/D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,UAAU;IACV;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,8IAA8I;QAC3J,OAAO,EAAE,oFAAoF;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sHAAsH;QAC3H,OAAO,EAAE,wIAAwI;QACjJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qIAAqI;QAClJ,OAAO,EAAE,sKAAsK;QAC/K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,iJAAiJ;QAC1J,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,wFAAwF;QACrG,OAAO,EAAE,yFAAyF;QAClG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,wDAAwD;QAC7D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"web-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EA4K1C,CAAC"}
|
|
@@ -0,0 +1,169 @@
|
|
|
1
|
+
export const webSecurityRules = [
|
|
2
|
+
// Webhook Security
|
|
3
|
+
{
|
|
4
|
+
id: "VG650",
|
|
5
|
+
name: "Webhook Missing Signature Verification",
|
|
6
|
+
severity: "high",
|
|
7
|
+
owasp: "A01:2025 Broken Access Control",
|
|
8
|
+
description: "Webhook endpoint processes incoming events without verifying the request signature. Attackers can send forged events.",
|
|
9
|
+
pattern: /(?:\/api\/webhook|\/webhook)[\s\S]*?export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!verify|signature|hmac|crypto|constructEvent|svix|webhookSecret)[\s\S])*?\}/g,
|
|
10
|
+
languages: ["javascript", "typescript"],
|
|
11
|
+
fix: "Always verify webhook signatures before processing events.",
|
|
12
|
+
fixCode: "// Verify webhook signature\nimport crypto from 'crypto';\nconst sig = request.headers.get('x-webhook-signature');\nconst expected = crypto.createHmac('sha256', process.env.WEBHOOK_SECRET!)\n .update(body).digest('hex');\nif (sig !== expected) return new Response('Unauthorized', { status: 401 });",
|
|
13
|
+
compliance: ["SOC2:CC6.6"],
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
id: "VG651",
|
|
17
|
+
name: "Webhook Secret Hardcoded",
|
|
18
|
+
severity: "critical",
|
|
19
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
20
|
+
description: "Webhook signing secret hardcoded in source code.",
|
|
21
|
+
pattern: /(?:webhook_?secret|signing_?secret|whsec_)\s*[:=]\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
|
|
22
|
+
languages: ["javascript", "typescript"],
|
|
23
|
+
fix: "Use environment variables for webhook secrets.",
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
// .env Security
|
|
27
|
+
{
|
|
28
|
+
id: "VG655",
|
|
29
|
+
name: "Sensitive Env Var in NEXT_PUBLIC",
|
|
30
|
+
severity: "critical",
|
|
31
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
32
|
+
description: "A sensitive service credential is exposed via NEXT_PUBLIC_ prefix. NEXT_PUBLIC_ variables are embedded in the client JavaScript bundle.",
|
|
33
|
+
pattern: /NEXT_PUBLIC_\w*(?:SECRET|PRIVATE|SERVICE_ROLE|API_KEY|ACCESS_TOKEN|AUTH_TOKEN|SIGNING|WEBHOOK)\w*\s*=/gi,
|
|
34
|
+
languages: ["shell", "javascript", "typescript"],
|
|
35
|
+
fix: "Remove NEXT_PUBLIC_ prefix from sensitive credentials. Access them only in server-side code.",
|
|
36
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG656",
|
|
40
|
+
name: ".env File Committed to Git",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: ".env file with secrets appears to be tracked by git. Secrets will be visible in repository history.",
|
|
44
|
+
pattern: /^(?:SUPABASE_SERVICE_ROLE_KEY|STRIPE_SECRET_KEY|DATABASE_URL|RESEND_API_KEY|OPENAI_API_KEY|ANTHROPIC_API_KEY|CLERK_SECRET_KEY|AUTH_SECRET|NEXTAUTH_SECRET)\s*=\s*\S{10,}/gm,
|
|
45
|
+
languages: ["shell"],
|
|
46
|
+
fix: "Add .env* to .gitignore immediately. Rotate any exposed secrets.",
|
|
47
|
+
fixCode: "# .gitignore\n.env\n.env.*\n.env.local\n!.env.example",
|
|
48
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG657",
|
|
52
|
+
name: ".env.example Contains Real Secrets",
|
|
53
|
+
severity: "high",
|
|
54
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
55
|
+
description: ".env.example file contains what appears to be real secret values instead of placeholders.",
|
|
56
|
+
pattern: /(?:SECRET|KEY|TOKEN|PASSWORD)\w*\s*=\s*(?:sk_live_|sk_test_|re_|whsec_|phx_|AKIA|ghp_|gho_)[A-Za-z0-9]{10,}/g,
|
|
57
|
+
languages: ["shell"],
|
|
58
|
+
fix: "Replace real values in .env.example with placeholders.",
|
|
59
|
+
fixCode: "# .env.example — use placeholders\nSTRIPE_SECRET_KEY=sk_test_your_key_here\nRESEND_API_KEY=re_your_key_here",
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
// SEO / Meta Security
|
|
63
|
+
{
|
|
64
|
+
id: "VG660",
|
|
65
|
+
name: "Open Redirect in Meta Tags",
|
|
66
|
+
severity: "medium",
|
|
67
|
+
owasp: "A01:2025 Broken Access Control",
|
|
68
|
+
description: "Dynamic user input used in meta refresh or og:url tags. Can be used for phishing via open redirect.",
|
|
69
|
+
pattern: /(?:meta.*?(?:refresh|og:url)|(?:openGraph|twitter)[\s\S]{0,200}?url)\s*[:=]\s*(?:params|searchParams|query|req\.|request\.)/gi,
|
|
70
|
+
languages: ["javascript", "typescript"],
|
|
71
|
+
fix: "Validate and sanitize URLs used in meta tags. Use allowlists for domains.",
|
|
72
|
+
compliance: ["SOC2:CC6.6"],
|
|
73
|
+
},
|
|
74
|
+
{
|
|
75
|
+
id: "VG661",
|
|
76
|
+
name: "Sensitive Path in robots.txt",
|
|
77
|
+
severity: "medium",
|
|
78
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
79
|
+
description: "robots.txt disallows sensitive paths, revealing their existence to attackers. Disallow does not prevent access.",
|
|
80
|
+
pattern: /Disallow:\s*\/(?:admin|dashboard|internal|staging|debug|phpMyAdmin|\.env|backup|api\/internal)/gi,
|
|
81
|
+
languages: ["shell"],
|
|
82
|
+
fix: "Don't rely on robots.txt for security. Use authentication to protect sensitive paths. robots.txt is publicly readable.",
|
|
83
|
+
compliance: ["SOC2:CC6.6"],
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
id: "VG662",
|
|
87
|
+
name: "Source Map Publicly Accessible",
|
|
88
|
+
severity: "medium",
|
|
89
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
90
|
+
description: "Source maps are generated for production builds, exposing original source code.",
|
|
91
|
+
pattern: /productionBrowserSourceMaps\s*:\s*true/g,
|
|
92
|
+
languages: ["javascript", "typescript"],
|
|
93
|
+
fix: "Set productionBrowserSourceMaps to false in next.config.",
|
|
94
|
+
fixCode: "// next.config.ts\nmodule.exports = {\n productionBrowserSourceMaps: false,\n};",
|
|
95
|
+
compliance: ["SOC2:CC6.1"],
|
|
96
|
+
},
|
|
97
|
+
// GitHub / Git Security
|
|
98
|
+
{
|
|
99
|
+
id: "VG665",
|
|
100
|
+
name: "GitHub Token Hardcoded",
|
|
101
|
+
severity: "critical",
|
|
102
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
103
|
+
description: "GitHub personal access token or app token hardcoded in source code.",
|
|
104
|
+
pattern: /(?:github_?token|gh_?token|GITHUB_TOKEN)\s*[:=]\s*["'](?:ghp_|gho_|ghu_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{10,}["']/gi,
|
|
105
|
+
languages: ["javascript", "typescript", "python", "shell"],
|
|
106
|
+
fix: "Use environment variables for GitHub tokens.",
|
|
107
|
+
compliance: ["SOC2:CC6.1"],
|
|
108
|
+
},
|
|
109
|
+
// Cloudflare
|
|
110
|
+
{
|
|
111
|
+
id: "VG670",
|
|
112
|
+
name: "Cloudflare API Token Client Exposure",
|
|
113
|
+
severity: "critical",
|
|
114
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
115
|
+
description: "Cloudflare API token or key exposed in client-side code.",
|
|
116
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:CLOUDFLARE_API_TOKEN|CF_API_TOKEN|CLOUDFLARE_API_KEY)/g,
|
|
117
|
+
languages: ["javascript", "typescript"],
|
|
118
|
+
fix: "Use Cloudflare API tokens only in server-side code.",
|
|
119
|
+
compliance: ["SOC2:CC6.1"],
|
|
120
|
+
},
|
|
121
|
+
{
|
|
122
|
+
id: "VG671",
|
|
123
|
+
name: "NEXT_PUBLIC Cloudflare Credentials",
|
|
124
|
+
severity: "critical",
|
|
125
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
126
|
+
description: "Cloudflare API credentials exposed via NEXT_PUBLIC_ prefix.",
|
|
127
|
+
pattern: /NEXT_PUBLIC_\w*(?:CLOUDFLARE|CF)\w*(?:API|TOKEN|KEY|SECRET)\s*=/gi,
|
|
128
|
+
languages: ["javascript", "typescript", "shell"],
|
|
129
|
+
fix: "Remove NEXT_PUBLIC_ prefix from Cloudflare credentials.",
|
|
130
|
+
compliance: ["SOC2:CC6.1"],
|
|
131
|
+
},
|
|
132
|
+
// OpenAI / AI Keys
|
|
133
|
+
{
|
|
134
|
+
id: "VG675",
|
|
135
|
+
name: "AI API Key Client Exposure",
|
|
136
|
+
severity: "critical",
|
|
137
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
138
|
+
description: "AI provider API key (OpenAI, Anthropic, Google AI) exposed in client-side code. These keys have direct cost implications.",
|
|
139
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:OPENAI_API_KEY|ANTHROPIC_API_KEY|GOOGLE_AI_API_KEY|GOOGLE_GENERATIVE_AI_API_KEY)/g,
|
|
140
|
+
languages: ["javascript", "typescript"],
|
|
141
|
+
fix: "Use AI API keys only in server-side code. Use API routes to proxy AI requests.",
|
|
142
|
+
fixCode: "// Server-side only (API route)\nimport OpenAI from 'openai';\nconst openai = new OpenAI(); // reads OPENAI_API_KEY from env",
|
|
143
|
+
compliance: ["SOC2:CC6.1"],
|
|
144
|
+
},
|
|
145
|
+
{
|
|
146
|
+
id: "VG676",
|
|
147
|
+
name: "NEXT_PUBLIC AI API Key",
|
|
148
|
+
severity: "critical",
|
|
149
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
150
|
+
description: "AI provider API key exposed via NEXT_PUBLIC_ prefix. Anyone can use your AI credits.",
|
|
151
|
+
pattern: /NEXT_PUBLIC_\w*(?:OPENAI|ANTHROPIC|GOOGLE_AI|GEMINI|COHERE|REPLICATE)\w*(?:KEY|TOKEN|SECRET)\s*=/gi,
|
|
152
|
+
languages: ["javascript", "typescript", "shell"],
|
|
153
|
+
fix: "Remove NEXT_PUBLIC_ prefix from AI API keys. Route AI requests through server-side API routes.",
|
|
154
|
+
compliance: ["SOC2:CC6.1"],
|
|
155
|
+
},
|
|
156
|
+
{
|
|
157
|
+
id: "VG677",
|
|
158
|
+
name: "Hardcoded AI API Key",
|
|
159
|
+
severity: "critical",
|
|
160
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
161
|
+
description: "AI provider API key hardcoded in source code.",
|
|
162
|
+
pattern: /(?:openai|OpenAI|anthropic|Anthropic)\s*\(\s*\{\s*apiKey\s*:\s*["'](?:sk-|sk-ant-)[A-Za-z0-9\-]{10,}["']/g,
|
|
163
|
+
languages: ["javascript", "typescript"],
|
|
164
|
+
fix: "Use environment variables for AI API keys.",
|
|
165
|
+
fixCode: "// Reads from OPENAI_API_KEY env automatically\nconst openai = new OpenAI();",
|
|
166
|
+
compliance: ["SOC2:CC6.1"],
|
|
167
|
+
},
|
|
168
|
+
];
|
|
169
|
+
//# sourceMappingURL=web-security.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"web-security.js","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,uHAAuH;QACpI,OAAO,EAAE,6KAA6K;QACtL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EAAE,4SAA4S;QACrT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE,mFAAmF;QAC5F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yIAAyI;QACtJ,OAAO,EAAE,yGAAyG;QAClH,SAAS,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC;QAChD,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,4KAA4K;QACrL,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2FAA2F;QACxG,OAAO,EAAE,8GAA8G;QACvH,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EAAE,6GAA6G;QACtH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,+HAA+H;QACxI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iHAAiH;QAC9H,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wHAAwH;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iFAAiF;QAC9F,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EAAE,kFAAkF;QAC3F,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qEAAqE;QAClF,OAAO,EAAE,uHAAuH;QAChI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAC;QAC1D,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,aAAa;IACb;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0DAA0D;QACvE,OAAO,EAAE,2FAA2F;QACpG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qDAAqD;QAC1D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EAAE,mEAAmE;QAC5E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yDAAyD;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2HAA2H;QACxI,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gFAAgF;QACrF,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,sFAAsF;QACnG,OAAO,EAAE,oGAAoG;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,2GAA2G;QACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,8EAA8E;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
package/build/index.js
CHANGED
|
@@ -18,7 +18,7 @@ import { builtinRules } from "./data/rules/index.js";
|
|
|
18
18
|
import { loadConfig } from "./utils/config.js";
|
|
19
19
|
const server = new McpServer({
|
|
20
20
|
name: "guardvibe",
|
|
21
|
-
version: "0.
|
|
21
|
+
version: "0.9.0",
|
|
22
22
|
});
|
|
23
23
|
// Tool 1: Analyze code for security vulnerabilities
|
|
24
24
|
server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
|
package/package.json
CHANGED