guardvibe 3.0.42 → 3.0.43
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +16 -0
- package/package.json +1 -1
|
@@ -652,6 +652,22 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
652
652
|
if (/\b(?:id|[a-zA-Z]+Id)\s*[,}]/i.test(matched))
|
|
653
653
|
continue; // where: { userId } shorthand
|
|
654
654
|
}
|
|
655
|
+
// Skip VG154 (Supabase race condition) for count-only or list queries — these don't
|
|
656
|
+
// produce a value-checked-then-mutated pattern. count: 'exact', head: true returns no
|
|
657
|
+
// rows; .order/.limit/.range chains are paginated reads, not single-record check-then-act.
|
|
658
|
+
if (rule.id === "VG154") {
|
|
659
|
+
const matched = match[0];
|
|
660
|
+
if (/\bhead\s*:\s*true\b/i.test(matched))
|
|
661
|
+
continue;
|
|
662
|
+
if (/\.(?:order|range|limit)\s*\(/i.test(matched))
|
|
663
|
+
continue;
|
|
664
|
+
}
|
|
665
|
+
// Skip VG155 (CSRF) in Next.js App Router route handlers (app/.../route.{ts,tsx,js,jsx}).
|
|
666
|
+
// App Router protects state-changing requests by default: SameSite=Lax cookies block
|
|
667
|
+
// cross-site cookie attachment, and JSON Content-Type triggers CORS preflight. Bearer-token
|
|
668
|
+
// auth (Clerk, Auth0) is also CSRF-immune since tokens aren't browser-attached automatically.
|
|
669
|
+
if (rule.id === "VG155" && filePath && /\/app\/.+\/route\.(?:ts|tsx|js|jsx)$/i.test(filePath))
|
|
670
|
+
continue;
|
|
655
671
|
// Skip VG106 for non-secret variable names (TokenCount, tokenBalance, hashMap, etc.)
|
|
656
672
|
// and for comparisons against literals/null/undefined that are emptiness checks,
|
|
657
673
|
// not timing-sensitive secret equality (e.g. token !== '' or apiKey == null).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.43",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|