guardvibe 1.9.6 → 2.0.1

package/build/data/rules/api-security.js

@@ -33,7 +33,7 @@ export const apiSecurityRules = [
         severity: "high",
         owasp: "API2:2023 Broken Authentication",
         description: "Next.js Route Handler that performs data operations without any authentication check. API routes are publicly accessible by default.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|requireRole|isAuthenticated|verifyToken|checkAuth|clerkClient|getToken|session|protect|withAuth)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|requireRole|isAuthenticated|verifyToken|checkAuth|clerkClient|getToken|session|protect|withAuth|verifyAuth|checkPermission|assertAuth|ensureAuth|guardAuth|validateAuth|authorize|checkSession|verifySession|validateSession|ensureAuthenticated)[\s\S]){10,}?(?:prisma|db|supabase|query|fetch|sql)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Add authentication at the start of every Route Handler that reads or writes data.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  // ... data access\n}',
@@ -96,7 +96,7 @@ export const apiSecurityRules = [
         severity: "high",
         owasp: "API5:2023 Broken Function Level Authorization",
         description: "Endpoint in /admin or /api/admin path performs operations without verifying admin role or permissions. Any authenticated user could access admin functionality.",
-        pattern: /(?:\/api\/admin|\/admin)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!role|isAdmin|orgRole|permission|requireAdmin|checkRole|adminOnly|org:admin)[\s\S]){10,}?(?:prisma|db|supabase|sql)\.\w+/g,
+        pattern: /(?:\/api\/admin|\/admin)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!role|isAdmin|orgRole|permission|requireAdmin|checkRole|adminOnly|org:admin|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize)[\s\S]){10,}?(?:prisma|db|supabase|sql)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify admin role/permissions in admin endpoints.",
         fixCode: 'const { userId, orgRole } = await auth();\nif (orgRole !== "org:admin") {\n  return new Response("Forbidden", { status: 403 });\n}',

package/build/data/rules/auth.js

@@ -6,7 +6,7 @@ export const authRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Route handler accesses database without authentication check. Anyone can call this endpoint.",
-        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|isAuthenticated|verifyToken|checkAuth|protect)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
+        pattern: /export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH)\s*\([^)]*\)\s*\{(?:(?!auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|isAuthenticated|verifyToken|checkAuth|protect|verifyAuth|checkPermission|assertAuth|ensureAuth|guardAuth|validateAuth|authorize|checkSession|verifySession|validateSession|ensureAuthenticated|withAuth)[\s\S])*?(?:prisma|db|supabase)\.\w+/g,
         languages: ["javascript", "typescript"],
         fix: "Add authentication check at the start of every route handler that accesses data.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  const data = await db.query(...);\n}',
@@ -69,7 +69,7 @@ export const authRules = [
         severity: "high",
         owasp: "A01:2025 Broken Access Control",
         description: "Admin or dashboard route handler does not verify user role or permissions.",
-        pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole|requireAdmin|requireRole|adminOnly)[\s\S])*?\}/g,
+        pattern: /(?:\/admin|\/dashboard)[\s\S]*?export\s+(?:async\s+)?function\s+(?:GET|POST|PUT|DELETE|PATCH|default)\s*\([^)]*\)\s*\{(?:(?!role|permission|isAdmin|orgRole|checkRole|requireAdmin|requireRole|adminOnly|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize)[\s\S])*?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify user roles and permissions in admin routes.",
         fixCode: 'import { auth } from "@clerk/nextjs/server";\n\nexport async function GET() {\n  const { userId, orgRole } = await auth();\n  if (orgRole !== "org:admin") {\n    return new Response("Forbidden", { status: 403 });\n  }\n}',

package/build/data/rules/core.js

@@ -19,7 +19,7 @@ export const coreRules = [
         severity: "critical",
         owasp: "A01:2025 Broken Access Control",
         description: "Cloud provider API key or token pattern detected in source code (AWS, GitHub, OpenAI, Stripe).",
-        pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-[A-Za-z0-9]{20,}|sk_live_[A-Za-z0-9]{5,}|rk_live_[A-Za-z0-9]{5,})/g,
+        pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-(?:proj-)?[A-Za-z0-9\-_]{20,}|sk_live_[A-Za-z0-9]{5,}|rk_live_[A-Za-z0-9]{5,})/g,
         languages: ["javascript", "typescript", "python", "go", "html", "shell"],
         fix: "Remove hardcoded keys immediately. Use environment variables or a secrets manager (AWS Secrets Manager, Vault). Rotate any compromised keys.",
         fixCode: "// Store keys in environment variables\nconst awsKey = process.env.AWS_ACCESS_KEY_ID;\nconst githubToken = process.env.GITHUB_TOKEN;",
@@ -386,4 +386,52 @@ export const coreRules = [
         fixCode: '// BAD: user input in event handler\n// `<img onerror="${userInput}">`\n\n// GOOD: use addEventListener\nconst img = document.createElement("img");\nimg.addEventListener("error", () => handleError(sanitizedInput));',
         compliance: ["SOC2:CC7.1"],
     },
+    {
+        id: "VG111",
+        name: "SSRF via User-Controlled URL",
+        severity: "high",
+        owasp: "A10:2025 Server-Side Request Forgery",
+        description: "User-controlled input is passed directly to fetch(), axios, or http.request() as the URL. Attackers can make the server request internal services (169.254.169.254 for cloud metadata, localhost admin panels, internal APIs) leading to data exfiltration or remote code execution.",
+        pattern: /(?:fetch|axios\.(?:get|post|put|delete|patch|request)|got(?:\.(?:get|post|put|delete|patch))?|http\.(?:get|request)|https\.(?:get|request)|urllib\.request\.urlopen)\s*\(\s*(?!["'`]https?:\/\/|["'`]\/|`\$\{process\.env)(?:[a-zA-Z_$]\w*)\s*[,)]/gi,
+        languages: ["javascript", "typescript", "python"],
+        fix: "Validate URLs against an allowlist of trusted domains. Block private/internal IP ranges (10.x, 172.16-31.x, 192.168.x, 127.x, 169.254.x, ::1). Use a URL parser to check the hostname before making the request.",
+        fixCode: '// Validate URL before fetching\nconst ALLOWED_HOSTS = ["api.example.com", "cdn.example.com"];\nconst parsed = new URL(userUrl);\nif (!ALLOWED_HOSTS.includes(parsed.hostname)) {\n  throw new Error("Blocked: untrusted host");\n}\n// Also block private IPs\nconst ip = await dns.resolve(parsed.hostname);\nif (isPrivateIP(ip)) throw new Error("Blocked: internal host");\nawait fetch(parsed.href);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
+    {
+        id: "VG112",
+        name: "XSS via insertAdjacentHTML",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "insertAdjacentHTML() renders raw HTML strings into the DOM without sanitization, enabling Cross-Site Scripting (XSS). Unlike textContent, this method parses and executes HTML including script tags and event handlers.",
+        pattern: /\.insertAdjacentHTML\s*\(\s*["'](?:beforebegin|afterbegin|beforeend|afterend)["']\s*,/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use textContent or innerText for plain text. If HTML is needed, sanitize with DOMPurify first.",
+        fixCode: '// BAD: XSS risk\nel.insertAdjacentHTML("beforeend", userInput);\n\n// GOOD: plain text\nel.insertAdjacentText("beforeend", userInput);\n\n// GOOD: sanitized HTML\nimport DOMPurify from "dompurify";\nel.insertAdjacentHTML("beforeend", DOMPurify.sanitize(userInput));',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
+    },
+    {
+        id: "VG113",
+        name: "XSS/SSRF via XMLHttpRequest",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "XMLHttpRequest.open() is called with a user-controlled URL. This can lead to SSRF (server-side) or data exfiltration (client-side) if the URL is not validated.",
+        pattern: /\.open\s*\(\s*["'](?:GET|POST|PUT|DELETE|PATCH)["']\s*,\s*(?:url|uri|href|endpoint|target|userUrl|inputUrl|src)\b/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Validate the URL against an allowlist before passing to XMLHttpRequest.open(). Prefer fetch() with URL validation over raw XHR.",
+        fixCode: '// Validate URL before XHR\nconst allowed = ["https://api.example.com"];\nconst parsed = new URL(userUrl);\nif (!allowed.some(a => userUrl.startsWith(a))) throw new Error("Blocked");\nxhr.open("GET", parsed.href);',
+        compliance: ["SOC2:CC7.1"],
+    },
+    {
+        id: "VG114",
+        name: "SQL Injection via Template Literal",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "SQL query constructed using JavaScript template literals with interpolated variables. Template literal SQL is just as dangerous as string concatenation — any user-controlled value can break out of the SQL context and inject arbitrary queries.",
+        pattern: /(?:query|execute|raw|sql|prepare|QueryRow|QueryContext|db\.run|db\.all|db\.get|connection\.query)\s*\(\s*`[^`]*\$\{/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use parameterized queries. For tagged template literals (e.g. Prisma sql``, Drizzle sql``), the tagged version IS safe — only raw template literals passed to query() are dangerous.",
+        fixCode: '// BAD: template literal SQL\ndb.query(`SELECT * FROM users WHERE id = \'${userId}\'`);\n\n// GOOD: parameterized query\ndb.query("SELECT * FROM users WHERE id = $1", [userId]);\n\n// ALSO SAFE: tagged template literal (Prisma/Drizzle)\nimport { sql } from "drizzle-orm";\ndb.execute(sql`SELECT * FROM users WHERE id = ${userId}`);',
+        compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
+    },
 ];

package/build/data/rules/nextjs.js

@@ -30,7 +30,7 @@ export const nextjsRules = [
         severity: "critical",
         owasp: "A01:2025 Broken Access Control",
         description: "Server Action performs data mutations without verifying user authentication. Anyone can invoke Server Actions directly via POST request.",
-        pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|clerkClient))/g,
+        pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|requireAdmin|clerkClient|verifyAuth|checkPermission|assertAuth|ensureAuth|authorize|withAuth))/g,
         languages: ["javascript", "typescript"],
         fix: "Always verify authentication at the start of every Server Action.",
         fixCode: '"use server";\nimport { auth } from "@clerk/nextjs/server";\n\nexport async function deleteItem(id: string) {\n  const { userId } = await auth();\n  if (!userId) throw new Error("Unauthorized");\n}',
@@ -114,7 +114,7 @@ export const nextjsRules = [
         severity: "medium",
         owasp: "A01:2025 Broken Access Control",
         description: "redirect() or NextResponse.redirect() uses user-controlled input (searchParams, query) which can redirect users to malicious sites.",
-        pattern: /redirect\s*\(\s*(?:searchParams|params|req\.query|request\.url|url|query)\s*[\.\[]/g,
+        pattern: /(?:redirect|NextResponse\.redirect|res\.redirect|Response\.redirect)\s*\(\s*(?:searchParams|params|req\.query|request\.url|url|query|returnTo|callbackUrl|next|goto|returnUrl|redirectUrl|destination)\b/gi,
         languages: ["javascript", "typescript"],
         fix: "Validate redirect URLs against an allowlist of trusted domains.",
         fixCode: '// Validate redirect URL\nconst ALLOWED_HOSTS = ["example.com"];\nconst target = searchParams.get("next") ?? "/";\ntry {\n  const url = new URL(target, request.url);\n  if (!ALLOWED_HOSTS.includes(url.hostname)) redirect("/");\n  redirect(url.pathname);\n} catch {\n  redirect("/");\n}',

package/build/tools/check-code.js

@@ -126,6 +126,53 @@ function isRuleDefinitionFile(code, filePath) {
     }
     return false;
 }
+/**
+ * Detect if code contains an auth guard pattern — regardless of function name.
+ * Matches patterns like:
+ *   const { userId } = await someFunction(); if (!userId) return/throw;
+ *   const { error } = await someFunction(); if (error) return error;
+ *   const session = await someFunction(); if (!session) throw/return;
+ *   await someFunction(); // + early return pattern
+ *
+ * This is naming-agnostic: works for requireAdmin, verifyAuth, checkPermission,
+ * ensureLoggedIn, or any custom auth wrapper.
+ */
+function hasAuthGuardPattern(code) {
+    // Pattern 1: destructured result checked with early return/throw
+    // e.g., const { userId } = await xxx(); if (!userId) return;
+    // e.g., const { error } = await xxx(); if (error) return error;
+    if (/(?:const|let)\s+\{[^}]*\}\s*=\s*await\s+\w+\s*\([^)]*\)\s*;?\s*\n\s*if\s*\(\s*!?\w+/.test(code)) {
+        if (/if\s*\([^)]*\)\s*(?:return|throw)\b/.test(code))
+            return true;
+    }
+    // Pattern 2: result assigned then checked
+    // e.g., const session = await xxx(); if (!session) return;
+    if (/(?:const|let)\s+\w+\s*=\s*await\s+\w+\s*\([^)]*\)\s*;?\s*\n\s*if\s*\(\s*!\w+/.test(code)) {
+        return true;
+    }
+    // Pattern 3: function called with await that contains auth-like keywords in name
+    // Broad catch: any function name containing auth/session/permission/guard/verify/protect
+    if (/await\s+(?:\w+\.)*\w*(?:auth|Auth|session|Session|permission|Permission|guard|Guard|verify|Verify|protect|Protect|check|Check|ensure|Ensure|require|Require|assert|Assert|authorize|Authorize)\w*\s*\(/i.test(code)) {
+        return true;
+    }
+    return false;
+}
+/**
+ * Detect if code has a role/permission check — regardless of function name.
+ * Matches: role === "admin", permission check, role-based condition.
+ */
+function hasRoleCheckPattern(code) {
+    // Direct role/permission comparison
+    if (/(?:role|permission|isAdmin|access|level)\s*(?:===|!==|==|!=)\s*["']/i.test(code))
+        return true;
+    // Function call with role/permission-like args
+    if (/(?:check|require|verify|ensure|assert|has|can)\w*\s*\(\s*["'](?:admin|manager|editor|owner|moderator|superadmin)/i.test(code))
+        return true;
+    // Destructured role check: const { role } = ...; if (role !== "admin")
+    if (/\brole\b[\s\S]{0,100}?(?:!==|===)\s*["']/i.test(code))
+        return true;
+    return false;
+}
 export function analyzeCode(code, language, framework, filePath, configDir, rules) {
     // Skip files that are security rule definitions (they intentionally contain
     // vulnerable code patterns as regex matchers and fixCode examples)
@@ -136,6 +183,15 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
     const findings = [];
     const lines = code.split("\n");
     const suppressions = parseSuppressionsFromCode(lines);
+    // Pre-analyze: detect auth guards and role checks pattern-agnostically
+    let codeHasAuthGuard = hasAuthGuardPattern(code);
+    const codeHasRoleCheck = hasRoleCheckPattern(code);
+    // Config: check custom auth function names from .guardviberc
+    if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
+        const customPattern = new RegExp(`(?:${config.authFunctions.join("|")})\\s*\\(`, "i");
+        if (customPattern.test(code))
+            codeHasAuthGuard = true;
+    }
     const effectiveRules = rules ?? owaspRules;
     for (const rule of effectiveRules) {
         if (!rule.languages.includes(language))
@@ -152,25 +208,30 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             continue;
         if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
             continue;
-        // Context-aware: skip auth rules for webhook routes that have signature verification
+        // ── Context-aware rule skipping (pattern-agnostic) ──────────────
+        const authRuleIds = new Set(["VG420", "VG952", "VG002", "VG402"]);
+        const adminRoleRuleIds = new Set(["VG426", "VG957"]);
+        const rateLimitRuleIds = new Set(["VG956", "VG030"]);
         const isWebhookRoute = filePath && /webhook/i.test(filePath);
+        const isCronRoute = filePath && /(?:cron|scheduled|jobs?)\//i.test(filePath);
+        const isAdminRoute = filePath && /\/admin\//i.test(filePath);
+        // Skip auth rules when code has any auth guard pattern (naming-agnostic)
+        if (codeHasAuthGuard && authRuleIds.has(rule.id))
+            continue;
+        // Skip admin role rules when code has any role/permission check
+        if (codeHasRoleCheck && adminRoleRuleIds.has(rule.id))
+            continue;
+        // Skip auth rules for webhook routes with signature verification
         const hasSignatureVerification = isWebhookRoute && /(?:verify|signature|hmac|constructEvent|svix|webhookSecret|createHmac|X-Signature|stripe-signature)/i.test(code);
-        const authRuleIds = new Set(["VG420", "VG952", "VG002"]);
         if (hasSignatureVerification && authRuleIds.has(rule.id))
             continue;
-        // Context-aware: skip rate limiting rules for cron/scheduled routes
-        const isCronRoute = filePath && /(?:cron|scheduled|jobs?)\//i.test(filePath);
-        const rateLimitRuleIds = new Set(["VG956", "VG030"]);
+        // Skip rate limiting for cron and webhook routes
         if (isCronRoute && rateLimitRuleIds.has(rule.id))
             continue;
-        // Context-aware: skip rate limiting rules for webhook routes
-        // Webhooks are called by external services, not users — rate limiting is irrelevant
         if (isWebhookRoute && rateLimitRuleIds.has(rule.id))
             continue;
-        // Context-aware: skip rate limiting rules for admin routes that have admin auth
-        const isAdminRoute = filePath && /\/admin\//i.test(filePath);
-        const hasAdminAuth = isAdminRoute && /(?:requireAdmin|adminOnly|orgRole|org:admin|isAdmin|checkRole|requireRole)/i.test(code);
-        if (hasAdminAuth && rateLimitRuleIds.has(rule.id))
+        // Skip rate limiting for admin routes with auth guard
+        if (isAdminRoute && codeHasAuthGuard && rateLimitRuleIds.has(rule.id))
             continue;
         // Skip npm package rules (VG863/VG864/VG865): only apply to package.json files
         if ((rule.id === "VG863" || rule.id === "VG864" || rule.id === "VG865") && filePath && !filePath.endsWith("package.json"))
@@ -199,7 +260,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             : rule;
         // Context-aware severity: downgrade rate limiting/pagination issues in admin routes
         // Admin routes behind requireAdmin have lower brute-force risk
-        if (isAdminRoute && hasAdminAuth) {
+        if (isAdminRoute && codeHasAuthGuard) {
             const downgradeInAdmin = new Set(["VG955"]); // pagination in admin is less critical
             if (downgradeInAdmin.has(rule.id) && effectiveRule.severity === "medium") {
                 effectiveRule = { ...effectiveRule, severity: "low" };

package/build/utils/config.d.ts

@@ -22,6 +22,10 @@ export interface GuardVibeConfig {
     };
     plugins: string[];
     compliance?: CompliancePolicy;
+    /** Custom auth function names that GuardVibe should recognize as auth guards.
+     *  e.g. ["requireAdmin", "verifyUser", "ensureLoggedIn"]
+     *  These are added ON TOP of the built-in pattern-agnostic detection. */
+    authFunctions?: string[];
 }
 export declare function loadConfig(dir?: string): GuardVibeConfig;
 export declare function resetConfigCache(): void;

package/build/utils/config.js

@@ -67,6 +67,7 @@ export function loadConfig(dir) {
                 exceptions: Array.isArray(parsed.compliance.exceptions) ? parsed.compliance.exceptions : [],
                 requiredControls: Array.isArray(parsed.compliance.requiredControls) ? parsed.compliance.requiredControls : undefined,
             } : undefined,
+            authFunctions: Array.isArray(parsed.authFunctions) ? parsed.authFunctions : undefined,
         };
     }
     catch { }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "1.9.6",
+  "version": "2.0.1",
   "description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",
   "bin": {