guardvibe 3.0.43 → 3.0.44
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -9,7 +9,10 @@ const TAINT_SOURCES = [
|
|
|
9
9
|
{ pattern: /(?:formData|searchParams)\.get\s*\(/g, type: "form-input" },
|
|
10
10
|
{ pattern: /(?:params|searchParams)\s*[\.\[]/g, type: "url-params" },
|
|
11
11
|
{ pattern: /(?:await\s+)?(?:request|req)\.(?:json|text|formData)\s*\(\)/g, type: "request-body" },
|
|
12
|
-
|
|
12
|
+
// Only treat new URL(...) as tainted when req/request appears in the FIRST argument (path).
|
|
13
|
+
// The second argument (base) only contributes the origin — when the first arg is a literal
|
|
14
|
+
// string like "/verified", the resolved path is fixed regardless of the base.
|
|
15
|
+
{ pattern: /new\s+URL\s*\(\s*[^,)]*?(?:req|request)/g, type: "url-input" },
|
|
13
16
|
{ pattern: /(?:event|e)\.(?:target|currentTarget)\.(?:value|textContent|innerHTML)/g, type: "dom-input" },
|
|
14
17
|
];
|
|
15
18
|
// Dangerous sinks (where tainted data causes damage)
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.0.
|
|
3
|
+
"version": "3.0.44",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 365 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|