guardvibe 2.9.4 → 2.9.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +23 -4
- package/package.json +1 -1
|
@@ -246,10 +246,17 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
246
246
|
let codeHasAuthGuard = hasAuthGuardPattern(code);
|
|
247
247
|
const codeHasRoleCheck = hasRoleCheckPattern(code);
|
|
248
248
|
// Pre-analyze: detect fix patterns to suppress false positives after remediation
|
|
249
|
-
|
|
250
|
-
const
|
|
251
|
-
|
|
252
|
-
const
|
|
249
|
+
// These detect BOTH inline usage AND imported utility functions
|
|
250
|
+
const codeHasSanitization = /(?:DOMPurify\.sanitize|sanitize(?:Html|HTML)|xss\s*\(|purify\s*\(|escapeHtml|sanitizeHtml)\s*\(/i.test(code) ||
|
|
251
|
+
/import\s+.*(?:sanitize|DOMPurify|escapeHtml|purify|xss)\b/i.test(code);
|
|
252
|
+
const codeHasUrlValidation = /(?:(?:validate|verify|check|safe|allowed)(?:Url|URL|Uri|URI|Fetch)(?:Url)?|(?:ALLOWED_(?:HOSTS|URLS|ORIGINS|DOMAINS))|(?:allowlist|whitelist|safelist)[\s\S]{0,50}?(?:includes|has|match))/i.test(code) ||
|
|
253
|
+
/import\s+.*(?:validateUrl|validateFetchUrl|urlValidat|safeUrl|allowedUrl)/i.test(code);
|
|
254
|
+
const codeHasUuidFilename = /(?:randomUUID|nanoid|uuidv4|v4\s*\(\)|crypto\.randomUUID)\s*\(/i.test(code) ||
|
|
255
|
+
/import\s+.*(?:sanitizeFilename|sanitizeUploadFilename|safeFilename)/i.test(code);
|
|
256
|
+
const codeHasCronVerification = /(?:verify|validate|check)(?:Cron|Secret|Auth|Signature)\s*\(/i.test(code) ||
|
|
257
|
+
/import\s+.*(?:verifyCron|cronAuth|validateCron|checkCron)/i.test(code);
|
|
258
|
+
const codeHasRedirectValidation = /(?:sanitize|validate|verify|check|safe|allowed)(?:Redirect|RedirectUrl|CallbackUrl)\s*\(/i.test(code) ||
|
|
259
|
+
/import\s+.*(?:sanitizeRedirect|validateRedirect|safeRedirect)/i.test(code);
|
|
253
260
|
const isMigrationFile = filePath ? /(?:migrations?|supabase\/migrations|seeds?|fixtures)\//i.test(filePath) : false;
|
|
254
261
|
const isPeerDeps = /["']peerDependencies["']/i.test(code);
|
|
255
262
|
// Config: check custom auth function names from .guardviberc
|
|
@@ -317,6 +324,18 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
317
324
|
// Skip cron secret rules when custom verification function is present
|
|
318
325
|
if (codeHasCronVerification && ["VG968", "VG503"].includes(rule.id))
|
|
319
326
|
continue;
|
|
327
|
+
// Skip open redirect rules when redirect URL validation is present
|
|
328
|
+
if (codeHasRedirectValidation && ["VG425", "VG409", "VG660"].includes(rule.id))
|
|
329
|
+
continue;
|
|
330
|
+
// Skip VG131 (state-changing GET) when only read operations are present
|
|
331
|
+
if (rule.id === "VG131") {
|
|
332
|
+
// If code only has read operations (findMany, findFirst, count, aggregate, select)
|
|
333
|
+
// and no actual mutations, skip this rule
|
|
334
|
+
const hasMutation = /(?:\.create\s*\(|\.update\s*\(|\.delete\s*\(|\.destroy\s*\(|\.remove\s*\(|\.insert\s*\(|DELETE\s+FROM|UPDATE\s+\w|INSERT\s+INTO)/i.test(code);
|
|
335
|
+
const onlyInComments = !hasMutation;
|
|
336
|
+
if (onlyInComments)
|
|
337
|
+
continue;
|
|
338
|
+
}
|
|
320
339
|
// Skip CVE version rules in peerDependencies (ranges, not actual versions)
|
|
321
340
|
if (isPeerDeps && rule.id === "VG903")
|
|
322
341
|
continue;
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "2.9.
|
|
3
|
+
"version": "2.9.5",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|