guardvibe 3.1.11 → 3.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +17 -0
- package/package.json +1 -1
|
@@ -333,6 +333,13 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
333
333
|
while ((lit = literalUrlAssignRe.exec(code)) !== null)
|
|
334
334
|
literalUrlVars.add(lit[1]);
|
|
335
335
|
}
|
|
336
|
+
// jsforce SOQL skip signal for VG123. jsforce's `conn.query()` is SOQL
|
|
337
|
+
// (Salesforce's query language), not SQL — different injection semantics, and
|
|
338
|
+
// jsforce does not support parameterized queries. The documented practice is
|
|
339
|
+
// manual escape via a `sanitize*Soql*` helper. File-level boolean: cheaper
|
|
340
|
+
// than re-testing both regexes per match.
|
|
341
|
+
const fileIsJsforceWithSoqlSanitizer = /from\s+["']@?jsforce[\w@/-]*["']/i.test(code) &&
|
|
342
|
+
/sanitiz\w*Soql\w*/i.test(code);
|
|
336
343
|
// Config: check custom auth function names from .guardviberc
|
|
337
344
|
if (!codeHasAuthGuard && config.authFunctions && config.authFunctions.length > 0) {
|
|
338
345
|
const customPattern = new RegExp(`(?:${config.authFunctions.join("|")})\\s*\\(`, "i");
|
|
@@ -877,6 +884,16 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
877
884
|
if (isServiceVerbCall && !hasSqlKeyword)
|
|
878
885
|
continue;
|
|
879
886
|
}
|
|
887
|
+
// Skip VG010/VG123 (SQL injection family) on jsforce SOQL calls. SOQL has
|
|
888
|
+
// different injection semantics than SQL and jsforce does not support
|
|
889
|
+
// parameterized queries — the documented practice is manual escape via a
|
|
890
|
+
// `sanitize*Soql*` helper. File must import jsforce AND use a SOQL
|
|
891
|
+
// sanitizer — both required, so a jsforce file that forgets to escape
|
|
892
|
+
// still fires. Both VG010 and VG123 are listed because the dedup logic
|
|
893
|
+
// (isDuplicatePair) collapses them on the same line; without skipping
|
|
894
|
+
// both, VG010 just takes over when VG123 is suppressed.
|
|
895
|
+
if ((rule.id === "VG123" || rule.id === "VG010") && fileIsJsforceWithSoqlSanitizer)
|
|
896
|
+
continue;
|
|
880
897
|
// Skip supply chain rules for known legitimate packages
|
|
881
898
|
if (["VG872", "VG873"].includes(rule.id)) {
|
|
882
899
|
const pkgMatch = /"([\w@/-]+)"/.exec(match[0]);
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.1.
|
|
3
|
+
"version": "3.1.12",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|