guardvibe 3.1.17 → 3.1.19

package/build/tools/check-code.js

@@ -842,6 +842,63 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (/\b\w*Ref\.current\b/.test(matchedLine))
                     continue;
             }
+            // VG850 (AI Prompt Injection via User Input): only fire when at least one of the
+            // interpolations in the system-prompt template literal looks like user input. The
+            // pattern matches any `${...}` interpolation, but apps commonly compose system
+            // prompts from constants — `system: ` + "`${codePrompt}\\n...`" + ` — and these
+            // constants are not attacker-controlled. User-input shapes: `req.X`/`body.X`/
+            // `params.X`/`query.X`/`searchParams.X`, or bare identifiers named `userInput`,
+            // `userMessage`, `userPrompt`, `prompt`, `input`, `message`.
+            if (rule.id === "VG850") {
+                // Match starts at `system:` and ends at `${`. Look at the surrounding window
+                // for the rest of the template literal (it can span multiple lines).
+                const window = lines.slice(Math.max(0, lineNumber - 1), Math.min(lines.length, lineNumber + 6)).join("\n");
+                const interpolations = Array.from(window.matchAll(/\$\{([^}]+)\}/g)).map(m => m[1].trim());
+                if (interpolations.length > 0) {
+                    const isUserInput = (expr) => /\b(?:req|request|body|query|params|searchParams)\.\w+/.test(expr) ||
+                        /^(?:userInput|userMessage|userPrompt|prompt|input|message)\b/.test(expr) ||
+                        /\buser(?:Input|Message|Prompt|Query|Text|Content|Data)\b/.test(expr);
+                    if (!interpolations.some(isUserInput))
+                        continue;
+                }
+            }
+            // VG999 (AI Request Without maxTokens): skip when the call uses structured output
+            // (`output: Output.array(...)` / `output: Output.object(...)`) — token usage is
+            // bounded by the schema, not free-form text. The match already excludes calls
+            // that explicitly set maxTokens; structured-output calls are similarly bounded.
+            // Need to look at a wider window than match[0] because the match terminates at
+            // `}` and `output:` may appear elsewhere in the call options.
+            if (rule.id === "VG999") {
+                if (/\boutput\s*:\s*Output\.(?:array|object|enum)\s*\(/i.test(match[0]))
+                    continue;
+            }
+            // VG1027 (Conversation Messages Serialized to Client With System Role): skip when
+            // the response is built via a filter/conversion helper that strips the system role.
+            // Vercel AI SDK convention names: `convertToUIMessages` (recommended), `filterMessages`,
+            // `pickRole`, `sanitizeMessages`, `publicMessages`. Pattern matches up to the
+            // `messages` key but doesn't include the value, so check the surrounding lines.
+            if (rule.id === "VG1027") {
+                const surrounding = lines.slice(Math.max(0, lineNumber - 1), Math.min(lines.length, lineNumber + 3)).join("\n");
+                // No trailing \b — the helper names are CamelCase and continue with more word chars
+                // (convertToUIMessages, sanitizeMessagesForClient, etc.). Prefix match is intentional.
+                if (/\b(?:convertToUI|filterMessages|pickRole|sanitizeMessages|publicMessages|visibleMessages|userMessages|convertMessages)/i.test(surrounding))
+                    continue;
+            }
+            // VG152 (Object Injection via Dynamic Property Access): only fire on bracket-key
+            // ASSIGNMENT (`obj[key] = ...`) — that's the prototype-pollution shape. Read-only
+            // bracket access (`obj[key]` on RHS, in conditional, in function arg) does not
+            // pollute prototypes; even with attacker-controlled key, you only get a read of
+            // an existing or undefined property. The rule's pattern triggers on `req.X` etc.
+            // upstream + `\w+[key]` somewhere within 100 chars, which fires on completely
+            // benign read patterns like `data[key]` inside `for (const key in data)` loops or
+            // `DEFAULT_REDIRECTS[key]` lookups against hardcoded constants. The match string
+            // ends at `]` (no trailing `=`), so look slightly past match end for the assignment.
+            if (rule.id === "VG152") {
+                const window = code.slice(match.index, match.index + match[0].length + 10);
+                const isAssignment = /\w+\s*\[\s*(?:key|field|prop|name|column|attr|param)\s*\]\s*=(?!=)/.test(window);
+                if (!isAssignment)
+                    continue;
+            }
             // VG126 (Dynamic RegExp from User Input): skip when the variable name signals it has
             // already been escaped/sanitized (e.g. `escapedElement`, `safeQuery`, `sanitizedInput`).
             if (rule.id === "VG126") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.17",
+  "version": "3.1.19",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",