guardvibe 1.9.2 → 1.9.3

package/build/data/rules/nextjs.js

@@ -180,4 +180,28 @@ export const nextjsRules = [
         fixCode: '<!-- EJS: use escaped output -->\n<p><%= userInput %></p>   <!-- SAFE: HTML-escaped -->\n<!-- NOT: <%- userInput %>  DANGEROUS: raw HTML -->\n\n<!-- Handlebars: use double braces -->\n<p>{{userInput}}</p>      <!-- SAFE: escaped -->\n<!-- NOT: {{{userInput}}}   DANGEROUS: raw HTML -->\n\n<!-- Pug: use = not != -->\np= userInput              //- SAFE: escaped\n//- NOT: p!= userInput    DANGEROUS: raw HTML',
         compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
     },
+    {
+        id: "VG415",
+        name: "Cached Function Exposes User-Specific Data",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "A function marked with 'use cache' accesses user-specific data (auth, session, cookies, headers) but caches the result. Cached data is shared across all users, leaking one user's data to others.",
+        pattern: /["']use cache["'][\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|cookies\s*\(|headers\s*\()/g,
+        languages: ["javascript", "typescript"],
+        fix: "Do not access user-specific data inside cached functions. Pass user-independent parameters only, or use cacheTag with user-specific tags.",
+        fixCode: '// BAD: caches user-specific data\n"use cache";\nasync function getData() {\n  const { userId } = await auth(); // WRONG in cached fn!\n  return db.items.findMany({ where: { userId } });\n}\n\n// GOOD: cache only shared data\n"use cache";\nasync function getPublicPosts() {\n  return db.posts.findMany({ where: { published: true } });\n}',
+        compliance: ["SOC2:CC6.1"],
+    },
+    {
+        id: "VG416",
+        name: "Cached Function Without Revalidation Strategy",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "A function marked with 'use cache' does not specify a cacheLife or cacheTag for revalidation. Without explicit revalidation, stale data may be served indefinitely, including outdated security-sensitive information.",
+        pattern: /["']use cache["'](?:(?!cacheLife|cacheTag|unstable_cache)[\s\S]){10,}?(?:return|export)/g,
+        languages: ["javascript", "typescript"],
+        fix: "Add cacheLife() or cacheTag() inside cached functions to control revalidation.",
+        fixCode: '"use cache";\nimport { cacheLife, cacheTag } from "next/cache";\n\nasync function getCachedData() {\n  cacheLife("hours");\n  cacheTag("data-feed");\n  return db.posts.findMany();\n}\n\n// Revalidate when data changes:\nimport { revalidateTag } from "next/cache";\nrevalidateTag("data-feed");',
+        compliance: ["SOC2:CC7.1"],
+    },
 ];

package/build/tools/check-code.js

@@ -47,23 +47,38 @@ function isInsideStringLiteral(lines, lineNumber, code, matchIndex) {
     const line = lines[lineNumber - 1];
     if (!line)
         return false;
-    const trimmed = line.trimStart();
-    // Line is part of a template literal or multi-line string
-    // Check if we're between backticks by counting unescaped backticks before this point
+    // 1. Template literal: count unescaped backticks before this point
     const before = code.substring(0, matchIndex);
     const backtickCount = (before.match(/(?<!\\)`/g) || []).length;
     if (backtickCount % 2 === 1)
-        return true; // inside template literal
-    // Line is a string property value (fixCode, description, fix, exploit, audit, fixCode)
-    // Look backwards to find if this line is inside a property assignment string
+        return true;
+    // 2. The match line itself is a string continuation (starts with quote + or ends with +quote)
+    const trimmed = line.trimStart();
+    if (/^["']/.test(trimmed) && /\+\s*$/.test(line))
+        return true; // "string" +
+    if (/^\s*\+\s*["']/.test(line))
+        return true; // + "string continuation"
+    // 3. Line contains escaped newlines (\n) suggesting it's inside a string value
+    const quotesBefore = line.substring(0, line.indexOf(trimmed.charAt(0)));
+    if (/\\n/.test(line) && /["'`].*\\n/.test(line)) {
+        // Extra check: is the match portion inside quotes on this line?
+        const matchEnd = matchIndex + 20; // approximate
+        const lineStart = code.lastIndexOf("\n", matchIndex) + 1;
+        const col = matchIndex - lineStart;
+        const beforeCol = line.substring(0, col);
+        const singleQuotes = (beforeCol.match(/(?<!\\)'/g) || []).length;
+        const doubleQuotes = (beforeCol.match(/(?<!\\)"/g) || []).length;
+        if (singleQuotes % 2 === 1 || doubleQuotes % 2 === 1)
+            return true;
+    }
+    // 4. Look backwards for property assignment context (fixCode, description, etc.)
     for (let i = lineNumber - 1; i >= Math.max(0, lineNumber - 20); i--) {
         const prev = lines[i]?.trimStart() || "";
-        // Property assignment with string value that likely spans lines
-        if (/^(?:fixCode|fix|description|exploit|audit|fixCode)\s*[:=]/.test(prev))
+        if (/^(?:fixCode|fix|description|exploit|audit)\s*[:=]/.test(prev))
             return true;
         if (/^(?:fixCode|fix|description|exploit|audit)\s*:\s*$/.test(prev))
             return true;
-        // Hit a rule boundary (id: "VG...) — stop looking
+        // Hit a rule boundary — stop looking
         if (/^\s*id\s*:\s*["']VG/.test(prev))
             break;
         if (/^\s*\{/.test(prev) && i < lineNumber - 2)
@@ -90,7 +105,32 @@ function isHumanReadableString(lines, lineNumber) {
         return true;
     return false;
 }
+/**
+ * Detect if a file is a security rule definition file.
+ * These files intentionally contain vulnerable code patterns
+ * as regex matchers and fixCode examples — scanning them is meaningless.
+ */
+function isRuleDefinitionFile(code, filePath) {
+    // Path-based: known rule definition directories
+    if (filePath && /(?:\/rules\/|\/data\/rules\/)/.test(filePath)) {
+        // Confirm it actually exports SecurityRule objects
+        if (/SecurityRule\s*\[\]/.test(code) && /id:\s*["']VG\d+["']/.test(code)) {
+            return true;
+        }
+    }
+    // Content-based: file defines multiple VG rules with pattern: regex
+    if (/id:\s*["']VG\d+["']/g.test(code) && /pattern:\s*\//.test(code)) {
+        const ruleCount = (code.match(/id:\s*["']VG\d+["']/g) || []).length;
+        if (ruleCount >= 3)
+            return true; // 3+ rule definitions = rule file
+    }
+    return false;
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
+    // Skip files that are security rule definitions (they intentionally contain
+    // vulnerable code patterns as regex matchers and fixCode examples)
+    if (isRuleDefinitionFile(code, filePath))
+        return [];
     const config = loadConfig(configDir);
     const ignoreEntries = loadIgnoreFile(configDir || process.cwd());
     const findings = [];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.9.2",
+  "version": "1.9.3",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {