guardvibe 2.9.8 → 2.9.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/build/data/rules/cve-versions.js +1 -1
  2. package/build/tools/check-code.js +15 -4
  3. package/package.json +1 -1
package/build/data/rules/cve-versions.js CHANGED
@@ -42,7 +42,7 @@ export const cveVersionRules = [
42
42
  severity: "high",
43
43
  owasp: "A02:2025 Injection",
44
44
  description: "React versions before 18.3.1 contain known XSS vulnerabilities. React 16.x and 17.x have multiple unpatched security issues.",
45
- pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:15\.\d+\.\d+|16\.\d+\.\d+|17\.\d+\.\d+|18\.[0-2]\.\d+|18\.3\.0)["']/g,
45
+ pattern: /["']react["']\s*:\s*["'](?:\^|~|>=?)?\s*(?:15\.\d+\.\d+|16\.\d+\.\d+|17\.\d+\.\d+|18\.[0-1]\.\d+|18\.3\.0)["']/g,
46
46
  languages: ["json"],
47
47
  fix: "Upgrade React to 18.3.1 or later: npm install react@latest react-dom@latest",
48
48
  fixCode: '// package.json\n"react": "^18.3.1",\n"react-dom": "^18.3.1"',
package/build/tools/check-code.js CHANGED
@@ -212,6 +212,8 @@ const LEGITIMATE_PREFIXED_PACKAGES = new Set([
212
212
  "fast-sha256", "fast-text-encoding",
213
213
  "svix",
214
214
  "cheerio",
215
+ "simple-plist", "simple-git", "simple-update-notifier", "simple-swizzle", "simple-concat",
216
+ "simple-html-tokenizer", "simple-ast",
215
217
  ]);
216
218
  function isLegitimatePackage(name) {
217
219
  return LEGITIMATE_PREFIXED_PACKAGES.has(name);
@@ -271,7 +273,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
271
273
  const isSqlSchemaFile = filePath ? /(?:schema|migration|seed|ddl|init).*\.sql$/i.test(filePath) : false;
272
274
  const isReactNative = /(?:react-native|from\s+['"]react-native['"]|from\s+['"]expo|import\s+.*\bexpo\b)/i.test(code);
273
275
  const codeHasTimingSafeEqual = /(?:timingSafeEqual|timing.?safe|constant.?time)/i.test(code);
274
- const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code);
276
+ const codeHasFilenameSanitization = /(?:\.replace\s*\(\s*\/\[?\^?[a-z0-9\\-_\]]*\]?\/?[gi]*\s*,|sanitize(?:File|Name|Path)|safeName|cleanName)/i.test(code) ||
277
+ /(?:Date\.now\(\)|timestamp|uuid|nanoid|crypto\.randomUUID)[\s\S]{0,80}?\.\s*(?:ext|split|pop)/i.test(code);
275
278
  const isPeerDeps = /["']peerDependencies["']/i.test(code);
276
279
  // Config: check custom auth function names from .guardviberc
277
280
  if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
@@ -434,23 +437,31 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
434
437
  // Skip CVE version rules in peerDependencies (ranges, not actual versions)
435
438
  if (isPeerDeps && rule.id === "VG903")
436
439
  continue;
437
- // Skip VG140 (XXE) when file doesn't actually parse XML just has XML-related imports
440
+ // Skip VG140 (XXE) when file doesn't actually parse XML or uses browser DOMParser
441
+ // Browser DOMParser with 'text/html' is safe by design — no external entity processing
438
442
  if (rule.id === "VG140") {
439
- const hasXmlParsing = /(?:parseString|parseXml|xml2js|DOMParser|XMLParser)\s*\(/i.test(code);
443
+ const hasXmlParsing = /(?:parseString|parseXml|xml2js|xmldom|libxmljs|XMLParser)\s*\(/i.test(code);
440
444
  if (!hasXmlParsing)
441
445
  continue;
446
+ // Browser DOMParser with text/html is inherently safe
447
+ const hasBrowserDomParser = /new\s+DOMParser\s*\(\s*\)[\s\S]{0,50}?['"]text\/html['"]/i.test(code);
448
+ if (hasBrowserDomParser && !hasXmlParsing)
449
+ continue;
442
450
  }
443
451
  // Skip VG020 (wildcard dependency version) in lock files — engine constraints
444
452
  // like "node": ">=6" are not dependency versions
445
453
  if (rule.id === "VG020" && filePath && /(?:package-lock\.json|yarn\.lock|pnpm-lock\.yaml|npm-shrinkwrap\.json)$/.test(filePath))
446
454
  continue;
447
455
  // Skip VG430 (Supabase anon key on server) when file properly separates client/server
448
- // Pattern: file exports both a client (anon key) and server (service_role) function
456
+ // or is a React Native/mobile client (anon key with AsyncStorage is correct pattern)
449
457
  if (rule.id === "VG430") {
450
458
  const hasServiceRole = /(?:SUPABASE_SERVICE_ROLE|service_role|serviceRole)/i.test(code);
451
459
  const hasClientServer = /(?:createClient|createServerClient|createBrowserClient)/i.test(code) && hasServiceRole;
452
460
  if (hasClientServer)
453
461
  continue;
462
+ const isMobileClient = isReactNative || /AsyncStorage/i.test(code) || /EXPO_PUBLIC_/i.test(code);
463
+ if (isMobileClient)
464
+ continue;
454
465
  }
455
466
  // Skip VG448 (Supabase RPC bypass RLS) when using service_role key (server-side)
456
467
  if (rule.id === "VG448" && /(?:SUPABASE_SERVICE_ROLE|service_role|createServerSupabaseClient|createServerClient)/i.test(code))
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "2.9.8",
3
+ "version": "2.9.9",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
5
  "description": "Security MCP for vibe coding. 334 rules, 31 tools, CLI + doctor. Host security: CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit, AI host hardening. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",