guardvibe 3.1.17 → 3.1.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +15 -0
- package/package.json +1 -1
|
@@ -842,6 +842,21 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
842
842
|
if (/\b\w*Ref\.current\b/.test(matchedLine))
|
|
843
843
|
continue;
|
|
844
844
|
}
|
|
845
|
+
// VG152 (Object Injection via Dynamic Property Access): only fire on bracket-key
|
|
846
|
+
// ASSIGNMENT (`obj[key] = ...`) — that's the prototype-pollution shape. Read-only
|
|
847
|
+
// bracket access (`obj[key]` on RHS, in conditional, in function arg) does not
|
|
848
|
+
// pollute prototypes; even with attacker-controlled key, you only get a read of
|
|
849
|
+
// an existing or undefined property. The rule's pattern triggers on `req.X` etc.
|
|
850
|
+
// upstream + `\w+[key]` somewhere within 100 chars, which fires on completely
|
|
851
|
+
// benign read patterns like `data[key]` inside `for (const key in data)` loops or
|
|
852
|
+
// `DEFAULT_REDIRECTS[key]` lookups against hardcoded constants. The match string
|
|
853
|
+
// ends at `]` (no trailing `=`), so look slightly past match end for the assignment.
|
|
854
|
+
if (rule.id === "VG152") {
|
|
855
|
+
const window = code.slice(match.index, match.index + match[0].length + 10);
|
|
856
|
+
const isAssignment = /\w+\s*\[\s*(?:key|field|prop|name|column|attr|param)\s*\]\s*=(?!=)/.test(window);
|
|
857
|
+
if (!isAssignment)
|
|
858
|
+
continue;
|
|
859
|
+
}
|
|
845
860
|
// VG126 (Dynamic RegExp from User Input): skip when the variable name signals it has
|
|
846
861
|
// already been escaped/sanitized (e.g. `escapedElement`, `safeQuery`, `sanitizedInput`).
|
|
847
862
|
if (rule.id === "VG126") {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.1.
|
|
3
|
+
"version": "3.1.18",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|