guardvibe 2.1.0 → 2.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/data/rules/core.js +28 -4
- package/package.json +1 -1
package/build/data/rules/core.js
CHANGED
|
@@ -387,7 +387,7 @@ export const coreRules = [
|
|
|
387
387
|
compliance: ["SOC2:CC7.1"],
|
|
388
388
|
},
|
|
389
389
|
{
|
|
390
|
-
id: "
|
|
390
|
+
id: "VG120",
|
|
391
391
|
name: "SSRF via User-Controlled URL",
|
|
392
392
|
severity: "high",
|
|
393
393
|
owasp: "A10:2025 Server-Side Request Forgery",
|
|
@@ -399,7 +399,7 @@ export const coreRules = [
|
|
|
399
399
|
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
|
|
400
400
|
},
|
|
401
401
|
{
|
|
402
|
-
id: "
|
|
402
|
+
id: "VG121",
|
|
403
403
|
name: "XSS via insertAdjacentHTML",
|
|
404
404
|
severity: "high",
|
|
405
405
|
owasp: "A02:2025 Injection",
|
|
@@ -411,7 +411,7 @@ export const coreRules = [
|
|
|
411
411
|
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
|
|
412
412
|
},
|
|
413
413
|
{
|
|
414
|
-
id: "
|
|
414
|
+
id: "VG122",
|
|
415
415
|
name: "XSS/SSRF via XMLHttpRequest",
|
|
416
416
|
severity: "high",
|
|
417
417
|
owasp: "A02:2025 Injection",
|
|
@@ -423,7 +423,7 @@ export const coreRules = [
|
|
|
423
423
|
compliance: ["SOC2:CC7.1"],
|
|
424
424
|
},
|
|
425
425
|
{
|
|
426
|
-
id: "
|
|
426
|
+
id: "VG123",
|
|
427
427
|
name: "SQL Injection via Template Literal",
|
|
428
428
|
severity: "critical",
|
|
429
429
|
owasp: "A02:2025 Injection",
|
|
@@ -434,4 +434,28 @@ export const coreRules = [
|
|
|
434
434
|
fixCode: '// BAD: template literal SQL\ndb.query(`SELECT * FROM users WHERE id = \'${userId}\'`);\n\n// GOOD: parameterized query\ndb.query("SELECT * FROM users WHERE id = $1", [userId]);\n\n// ALSO SAFE: tagged template literal (Prisma/Drizzle)\nimport { sql } from "drizzle-orm";\ndb.execute(sql`SELECT * FROM users WHERE id = ${userId}`);',
|
|
435
435
|
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
|
|
436
436
|
},
|
|
437
|
+
{
|
|
438
|
+
id: "VG124",
|
|
439
|
+
name: "Insecure Random for Security Token",
|
|
440
|
+
severity: "high",
|
|
441
|
+
owasp: "A02:2025 Cryptographic Failures",
|
|
442
|
+
description: "Math.random() is used to generate tokens, IDs, codes, or nonces. Math.random() is not cryptographically secure — its output is predictable, allowing attackers to guess reset tokens, session IDs, verification codes, or API keys.",
|
|
443
|
+
pattern: /(?:(?:token|secret|key|code|nonce|session|reset|verify|otp|password|auth|invite|magic|csrf)\w*\s*=[\s\S]{0,30}?Math\.random|Math\.random\s*\(\s*\)[\s\S]{0,50}?(?:token|secret|key|code|nonce|session|reset|verify|otp|password|auth|invite|magic|csrf))/gi,
|
|
444
|
+
languages: ["javascript", "typescript"],
|
|
445
|
+
fix: "Use crypto.randomUUID() or crypto.randomBytes() for security-sensitive random values.",
|
|
446
|
+
fixCode: '// BAD: predictable\nconst token = Math.random().toString(36);\n\n// GOOD: cryptographically secure\nimport { randomUUID, randomBytes } from "crypto";\nconst token = randomUUID();\nconst resetCode = randomBytes(32).toString("hex");\n// Or in browser:\nconst token = crypto.randomUUID();',
|
|
447
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.3"],
|
|
448
|
+
},
|
|
449
|
+
{
|
|
450
|
+
id: "VG125",
|
|
451
|
+
name: "Session Not Regenerated After Authentication",
|
|
452
|
+
severity: "high",
|
|
453
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
454
|
+
description: "User session is not regenerated after login/authentication. This enables session fixation attacks — an attacker can set a known session ID before the user logs in, then hijack their authenticated session.",
|
|
455
|
+
pattern: /(?:login|signIn|authenticate|logIn)\s*(?:=\s*async|\([\s\S]*?\)\s*(?:=>|{))[\s\S]{0,500}?(?:req\.session\.\w+\s*=)(?:(?!regenerate|destroy|create|rotate)[\s\S]){0,300}?(?:res\.|return|next\()/gi,
|
|
456
|
+
languages: ["javascript", "typescript"],
|
|
457
|
+
fix: "Regenerate the session after successful authentication. In Express: req.session.regenerate(). In Next.js: use a new session token.",
|
|
458
|
+
fixCode: '// Express: regenerate session after login\napp.post("/login", async (req, res) => {\n const user = await authenticate(req.body);\n if (!user) return res.status(401).json({ error: "Invalid credentials" });\n req.session.regenerate((err) => {\n req.session.userId = user.id;\n res.json({ ok: true });\n });\n});',
|
|
459
|
+
compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
|
|
460
|
+
},
|
|
437
461
|
];
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "2.1.
|
|
3
|
+
"version": "2.1.1",
|
|
4
4
|
"description": "Security MCP for vibe coding. 277 rules, 24 tools for Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|