guardvibe 3.1.14 → 3.1.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/build/data/rules/database.js +5 -5
  2. package/build/data/rules/other-services.js +4 -4
  3. package/package.json +1 -1
package/build/data/rules/database.js CHANGED
@@ -17,14 +17,14 @@ export const databaseRules = [
17
17
  // RLS is a database-level config, not detectable from application code patterns.
18
18
  {
19
19
  id: "VG432",
20
- name: "Prisma Raw Query Injection",
20
+ name: "Prisma Raw Query Injection (call-form)",
21
21
  severity: "critical",
22
22
  owasp: "A03:2025 Injection",
23
- description: "Prisma $queryRaw or $executeRaw with template literal interpolation. Use Prisma.sql tagged template for safe parameterization.",
24
- pattern: /\.\$(?:queryRaw|executeRaw)`[^`]*\$\{(?!Prisma\.)/g,
23
+ description: "Prisma $queryRaw / $executeRaw invoked as a function with a non-Prisma.sql backtick string argument. The tagged-template form (prisma.$queryRaw`...${var}...`) is auto-parameterized by Prisma and is safe; the call-form (prisma.$queryRaw(`...${var}...`)) interpolates the variable in JS first and bypasses parameterization. Prisma rejects the non-Prisma.sql call-form at runtime, but if it slipped past review it would be a critical injection vector.",
24
+ pattern: /\.\$(?:queryRaw|executeRaw)\s*\(\s*`[^`]*\$\{(?!Prisma\.)/g,
25
25
  languages: ["javascript", "typescript"],
26
- fix: "Use Prisma.sql tagged template for safe parameterization.",
27
- fixCode: 'import { Prisma } from "@prisma/client";\n\nconst result = await prisma.$queryRaw(\n Prisma.sql`SELECT * FROM users WHERE id = ${userId}`\n);',
26
+ fix: "Use the tagged-template form (prisma.$queryRaw`SELECT ... ${var}`) or wrap the argument in Prisma.sql (prisma.$queryRaw(Prisma.sql`SELECT ... ${var}`)). Both are auto-parameterized.",
27
+ fixCode: "// Tagged template (preferred — auto-parameterized)\nconst rows = await prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`;\n\n// Or with Prisma.sql wrapper\nimport { Prisma } from \"@prisma/client\";\nconst rows = await prisma.$queryRaw(Prisma.sql`SELECT * FROM users WHERE id = ${userId}`);",
28
28
  compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
29
29
  },
30
30
  {
package/build/data/rules/other-services.js CHANGED
@@ -28,8 +28,8 @@ export const otherServiceRules = [
28
28
  name: "Neon/Postgres Connection String Exposure",
29
29
  severity: "critical",
30
30
  owasp: "A07:2025 Sensitive Data Exposure",
31
- description: "Neon or PostgreSQL connection string hardcoded in source code. Contains hostname, credentials, and database name.",
32
- pattern: /(?:DATABASE_URL|connectionString|connection_string|pgConnectionString)\s*[:=]\s*["']postgres(?:ql)?:\/\/[^"'\s]{10,}["']/gi,
31
+ description: "Neon or PostgreSQL connection string hardcoded in source code with embedded credentials (user:pass@host shape). Local/docker URIs without credentials (e.g. postgres://localhost/db) are not flagged.",
32
+ pattern: /(?:DATABASE_URL|connectionString|connection_string|pgConnectionString)\s*[:=]\s*["']postgres(?:ql)?:\/\/[^"'\s/@]*@[^"'\s]+["']/gi,
33
33
  languages: ["javascript", "typescript"],
34
34
  fix: "Use DATABASE_URL environment variable. Never hardcode connection strings.",
35
35
  fixCode: 'import { neon } from "@neondatabase/serverless";\nconst sql = neon(process.env.DATABASE_URL!);',
@@ -52,8 +52,8 @@ export const otherServiceRules = [
52
52
  name: "MongoDB Connection String Exposure",
53
53
  severity: "critical",
54
54
  owasp: "A07:2025 Sensitive Data Exposure",
55
- description: "MongoDB connection string hardcoded in source code. Contains credentials and cluster information.",
56
- pattern: /(?:MONGODB_URI|MONGO_URL|mongoUri|mongoUrl|connectionString)\s*[:=]\s*["']mongodb(?:\+srv)?:\/\/[^"'\s]{10,}["']/gi,
55
+ description: "MongoDB connection string hardcoded in source code with embedded credentials (user:pass@host shape). Local/docker URIs without credentials (e.g. mongodb://localhost/db) are not flagged.",
56
+ pattern: /(?:MONGODB_URI|MONGO_URL|mongoUri|mongoUrl|connectionString)\s*[:=]\s*["']mongodb(?:\+srv)?:\/\/[^"'\s/@]*@[^"'\s]+["']/gi,
57
57
  languages: ["javascript", "typescript"],
58
58
  fix: "Use MONGODB_URI environment variable. Never hardcode connection strings.",
59
59
  fixCode: 'import { MongoClient } from "mongodb";\nconst client = new MongoClient(process.env.MONGODB_URI!);',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "guardvibe",
3
- "version": "3.1.14",
3
+ "version": "3.1.16",
4
4
  "mcpName": "io.github.goklab/guardvibe",
5
5
  "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
6
6
  "type": "module",