guardvibe 3.0.39 → 3.0.41

package/build/data/rules/advanced-security.js

@@ -8,7 +8,7 @@ export const advancedSecurityRules = [
         severity: "high",
         owasp: "A02:2025 Injection",
         description: "User input is interpolated into HTTP response headers. Attackers can inject CRLF characters to add arbitrary headers (Set-Cookie, Location) or split the response.",
-        pattern: /(?:setHeader|set|append|headers\.set)\s*\(\s*["'][^"']+["']\s*,\s*(?:`[^`]*\$\{|[^"']*\+\s*(?:req\.|request\.|params\.|query\.|searchParams|input|body|user))/gi,
+        pattern: /(?:res(?:ponse)?\.(?:setHeader|set|append)|headers\.(?:set|append)|setHeader|appendHeader)\s*\(\s*["'][^"']+["']\s*,\s*(?:`[^`]*\$\{|[^"']*\+\s*(?:req\.|request\.|params\.|query\.|searchParams|input|body|user))/gi,
         languages: ["javascript", "typescript"],
         fix: "Never interpolate user input into response headers. Sanitize by removing \\r and \\n characters.",
         fixCode: '// Sanitize header values\nconst safeValue = userInput.replace(/[\\r\\n]/g, "");\nres.setHeader("Content-Disposition", `attachment; filename="${safeValue}"`);',

package/build/tools/check-code.js

@@ -321,8 +321,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // - VG010/VG011/VG013/VG014: injection rules trigger on payload strings like
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
-        const isTestFile = filePath && /(?:\.(?:spec|test|e2e|stories)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG678"].includes(rule.id))
+        const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
+        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678"].includes(rule.id))
             continue;
         // Skip Expo-specific rule (VG708) when project is not an Expo app.
         // The rule's regex incorrectly matches the literal strings "app.json"/"app.config.ts"
@@ -378,6 +378,11 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // for batch processing, not for serving to clients.
         if (rule.id === "VG955" && (isBatchScriptFile || isCronRoute))
             continue;
+        // Skip VG132 (Missing Request Body Size Limit) on Next.js route handlers and
+        // pages/api endpoints — Next.js/Vercel apply a default 4.5MB body limit at the
+        // platform layer, which is what the rule is checking for.
+        if (rule.id === "VG132" && filePath && /(?:\/route\.(?:ts|tsx|js|jsx)$|\/pages\/api\/)/i.test(filePath))
+            continue;
         // Skip VG955 in bulk-* server actions (bulk-archive, bulk-approve, bulk-ban etc.)
         // These intentionally process a caller-provided list of IDs.
         if (rule.id === "VG955" && filePath && /\/bulk-[\w-]+\.(?:ts|tsx|js|jsx)$/i.test(filePath))
@@ -620,7 +625,10 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             // Skip VG863 for non-publishable apps. Signals that this is an application, not a library:
             // no publishing fields (bin/exports/module/types), main does not point at a build dir,
             // and start script runs a runtime/framework directly.
+            // Also skip when "private": true — npm refuses to publish private packages outright.
             if (rule.id === "VG863") {
+                if (/"private"\s*:\s*true\b/.test(code))
+                    continue;
                 const hasPublishingFields = /"(?:bin|exports|module|types|typings)"\s*:/i.test(code);
                 const mainPointsToBuild = /"main"\s*:\s*"(?:dist|build|lib|out)\//i.test(code);
                 const runtimeNames = "node|nodemon|tsx|ts-node|next|nest|vite|remix|astro";
@@ -632,6 +640,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             // Skip VG955 (Missing Pagination) when the query is bounded by ID(s):
             // findMany({ where: { id: x } }) returns at most 1; findMany({ where: { id: { in: [...] } } })
             // is bounded by the caller-provided list. Same applies to *Id fields like partnerId, userId.
+            // Shorthand form { userId } / { teamId } counts as bound — these are tenant-scoped queries.
             if (rule.id === "VG955") {
                 const matched = match[0];
                 if (/\bin\s*:\s*\[/i.test(matched))
@@ -640,6 +649,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                     continue; // where: { partnerId: { in: ids } }
                 if (/\b(?:id|[a-zA-Z]+Id)\s*:\s*[a-zA-Z_$]/i.test(matched))
                     continue; // where: { id: someVar }
+                if (/\b(?:id|[a-zA-Z]+Id)\s*[,}]/i.test(matched))
+                    continue; // where: { userId } shorthand
             }
             // Skip VG106 for non-secret variable names (TokenCount, tokenBalance, hashMap, etc.)
             // and for comparisons against literals/null/undefined that are emptiness checks,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.0.39",
+  "version": "3.0.41",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 365 rules, 38 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",