npm - guardvibe - Versions diffs - 3.0.17 → 3.0.19 - Mend

guardvibe 3.0.17 → 3.0.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/build/cli/hook.js +1 -1
package/build/tools/audit-config.js +25 -2
package/build/tools/check-code.js +8 -3
package/build/tools/cross-file-taint.js +22 -1
package/package.json +1 -1

package/build/cli/hook.js CHANGED Viewed

@@ -11,7 +11,7 @@ const HOOK_SCRIPT = `#!/bin/sh
 echo "🔒 GuardVibe: scanning staged files..."
 # Run guardvibe scan on staged files
-RESULT=$(npx -y guardvibe-scan 2>&1)
+RESULT=$(npx -y guardvibe scan --staged 2>&1)
 EXIT_CODE=$?
 if [ $EXIT_CODE -ne 0 ]; then

package/build/tools/audit-config.js CHANGED Viewed

@@ -152,11 +152,22 @@ function runChecks(files, root) {
                 const apiRoutes = files.routeHandlers
                     .map(r => r.path.replace(resolve(root), "").replace(/\\/g, "/"))
                     .filter(p => p.includes("/api/"));
+                // Check which routes are NOT covered by middleware matcher
+                // But exclude routes that have in-handler auth (requireAdmin, requireAuth, etc.)
+                const authGuardPattern = /requireAdmin|requireAuth|checkAuth|withAuth|getServerSession|auth\(\)|clerkClient|currentUser/;
                 const unprotectedApiRoutes = apiRoutes.filter(route => {
-                    return !matcherPaths.some(pattern => {
+                    // Check if middleware matcher covers this route
+                    const coveredByMatcher = matcherPaths.some(pattern => {
                         const normalized = pattern.replace(/:path\*/, "").replace(/\(.*?\)/, "");
                         return route.startsWith(normalized) || route.includes(normalized);
                     });
+                    if (coveredByMatcher)
+                        return false;
+                    // Check if the route handler has in-handler auth guard
+                    const handler = files.routeHandlers.find(r => r.path.replace(resolve(root), "").replace(/\\/g, "/") === route);
+                    if (handler && authGuardPattern.test(handler.content))
+                        return false;
+                    return true;
                 });
                 if (unprotectedApiRoutes.length > 0) {
                     issues.push({
@@ -193,11 +204,23 @@ function runChecks(files, root) {
         });
     }
     // Check for secrets in .env files that are also in NEXT_PUBLIC_
+    // Known safe public keys that are DESIGNED to be in client bundles
+    const knownPublicKeys = new Set([
+        "NEXT_PUBLIC_SUPABASE_ANON_KEY",
+        "NEXT_PUBLIC_SUPABASE_URL",
+        "NEXT_PUBLIC_TURNSTILE_SITE_KEY",
+        "NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY",
+        "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
+        "NEXT_PUBLIC_RECAPTCHA_SITE_KEY",
+        "NEXT_PUBLIC_GA_MEASUREMENT_ID",
+        "NEXT_PUBLIC_SITE_URL",
+        "NEXT_PUBLIC_APP_URL",
+    ]);
     for (const envFile of files.envFiles) {
         const lines = envFile.content.split("\n");
         for (const line of lines) {
             const match = /^(NEXT_PUBLIC_\w*(?:SECRET|KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*)\s*=/.exec(line);
-            if (match && !/PUBLISHABLE/i.test(match[1])) {
+            if (match && !/PUBLISHABLE/i.test(match[1]) && !knownPublicKeys.has(match[1])) {
                 issues.push({
                     id: "AC021", severity: "critical", category: "secrets",
                     title: `NEXT_PUBLIC_ exposes secret: ${match[1]}`,

package/build/tools/check-code.js CHANGED Viewed

@@ -5,18 +5,23 @@ import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
 import { securityBanner } from "../utils/banner.js";
 function parseSuppressionsFromCode(lines) {
     const suppressions = [];
-    const pattern = /(?:\/\/|#|<!--)\s*guardvibe-ignore(?:-next-line)?\s*(VG\d+)?\s*(?:-->)?/i;
+    const pattern = /(?:\/\/|#|<!--)\s*guardvibe-ignore(?:-next-line)?\s*(VG\d+)?(?:\s.*)?(?:-->)?/i;
     for (let i = 0; i < lines.length; i++) {
         const match = pattern.exec(lines[i]);
         if (!match)
             continue;
         const ruleId = match[1] || null;
         const isNextLine = lines[i].includes("guardvibe-ignore-next-line");
+        const isCommentOnlyLine = /^\s*(?:\/\/|#|<!--)/.test(lines[i]);
         if (isNextLine) {
-            suppressions.push({ line: i + 2, ruleId }); // next line (1-indexed)
+            suppressions.push({ line: i + 2, ruleId });
+        }
+        else if (isCommentOnlyLine) {
+            suppressions.push({ line: i + 1, ruleId });
+            suppressions.push({ line: i + 2, ruleId });
         }
         else {
-            suppressions.push({ line: i + 1, ruleId }); // same line (1-indexed)
+            suppressions.push({ line: i + 1, ruleId });
         }
     }
     return suppressions;

package/build/tools/cross-file-taint.js CHANGED Viewed

@@ -280,6 +280,18 @@ const SINK_PATTERNS = [
     { pattern: /writeFileSync?\s*\(/g, type: "path-traversal" },
     { pattern: /readFileSync?\s*\(/g, type: "path-traversal" },
 ];
+// Patterns that break the taint chain (validation/sanitization)
+const SANITIZER_PATTERNS = [
+    /validate\w*\s*\(/i,
+    /sanitize\w*\s*\(/i,
+    /safeParse\s*\(/i,
+    /parseBody\s*\(/i,
+    /DOMPurify/i,
+    /encodeURIComponent\s*\(/i,
+    /\.hostname\s*!==?\s*/i,
+    /\.origin\s*!==?\s*/i,
+    /allowlist|whitelist|allowedHosts/i,
+];
 function checkParamFlowsToSink(paramName, body, startLine) {
     const lines = body.split("\n");
     const taintedNames = new Set([paramName]);
@@ -289,11 +301,20 @@ function checkParamFlowsToSink(paramName, body, startLine) {
         if (m) {
             for (const t of taintedNames) {
                 if (m[2].includes(t)) {
-                    taintedNames.add(m[1]);
+                    const isSanitized = SANITIZER_PATTERNS.some(p => p.test(m[2]));
+                    if (!isSanitized) {
+                        taintedNames.add(m[1]);
+                    }
                     break;
                 }
             }
         }
+        // Break taint if value passes through validation
+        for (const t of taintedNames) {
+            if (line.includes(t) && SANITIZER_PATTERNS.some(p => p.test(line))) {
+                taintedNames.delete(t);
+            }
+        }
     }
     for (let i = 0; i < lines.length; i++) {
         const line = lines[i];

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.17",
+  "version": "3.0.19",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 335 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",