npm - guardvibe - Versions diffs - 3.1.19 → 3.1.21 - Mend

guardvibe 3.1.19 → 3.1.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/data/rules/core.js +1 -1
package/build/tools/check-code.js +41 -4
package/package.json +1 -1

package/build/data/rules/core.js CHANGED Viewed

@@ -296,7 +296,7 @@ export const coreRules = [
         severity: "high",
         owasp: "A02:2025 Injection",
         description: "Deep merge or object assignment from user input can lead to prototype pollution.",
-        pattern: /(?:Object\.assign|merge|deepMerge|extend)\s*\([^)]*(?:req\.|request\.|body|params)/gi,
+        pattern: /(?:Object\.assign|\bmerge\b|deepMerge|\bextend\b)\s*\([^)]*(?:req\.|request\.|\bbody\b|\bparams\b)/gi,
         languages: ["javascript", "typescript"],
         fix: "Use Object.create(null) for lookup objects. Validate that keys don't include __proto__, constructor, or prototype.",
         fixCode: "// Use Object.create(null) for lookups\nconst lookup = Object.create(null);\n// Validate keys\nconst forbidden = ['__proto__', 'constructor', 'prototype'];\nif (forbidden.includes(key)) throw new Error('Invalid key');",

package/build/tools/check-code.js CHANGED Viewed

@@ -313,7 +313,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         /import\s+.*(?:verifyCron|cronAuth|validateCron|checkCron)/i.test(code);
     const codeHasRedirectValidation = /(?:sanitize|validate|verify|check|safe|allowed)(?:Redirect|RedirectUrl|CallbackUrl)\s*\(/i.test(code) ||
         /import\s+.*(?:sanitizeRedirect|validateRedirect|safeRedirect)/i.test(code);
-    const isMigrationFile = filePath ? /(?:migrations?|supabase\/migrations|seeds?|fixtures)\//i.test(filePath) : false;
+    const isMigrationFile = filePath ? /(?:\/(?:migrations?|migrate|drizzle|seeds?|fixtures)\/|supabase\/migrations\/)/i.test(filePath) : false;
     const isSqlSchemaFile = filePath ? /(?:schema|migration|seed|ddl|init).*\.sql$/i.test(filePath) : false;
     const isReactNative = /(?:react-native|from\s+['"]react-native['"]|from\s+['"]expo|import\s+.*\bexpo\b)/i.test(code);
     const codeHasTimingSafeEqual = /(?:timingSafeEqual|timing.?safe|constant.?time)/i.test(code);
@@ -369,8 +369,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // - VG010/VG011/VG013/VG014: injection rules trigger on payload strings like
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
-        const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG100", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
+        const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|_test\.go$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/dockertest\/|\/testutil\/|\/testhelpers?\/|\/testfixtures?\/)/i.test(filePath);
+        if (isTestFile && ["VG001", "VG003", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG100", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
             continue;
         // VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
         // surfaces — API routes, App Router `route.{ts,tsx}`, pages/api, or Server Actions.
@@ -416,7 +416,14 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         const isAdminRoute = filePath && /\/admin\//i.test(filePath);
         // Server-side batch context: scripts, migrations, seeds. These run offline or
         // on-deploy, not against user requests, so DoS-from-unbounded-results doesn't apply.
-        const isBatchScriptFile = filePath && /\/(?:scripts?|migrations?|seeds?|fixtures?)\//i.test(filePath);
+        const isBatchScriptFile = filePath && /\/(?:scripts?|migrations?|seeds?|fixtures?|benchmarks?)\//i.test(filePath);
+        // Code-generator/scaffold templates. CLI tools (create-t3-app, create-next-app,
+        // create-react-app, etc.) bundle "Hello World" example files under cli/template/
+        // or templates/ that are intentionally minimal — no auth, no input validation,
+        // no rate limiting. These get copied into user projects where the user is
+        // expected to customize them. Flagging them in the CLI tool's own audit produces
+        // noise without surfacing real production risk.
+        const isTemplateFile = filePath && /\/(?:templates?|scaffolds?|stubs?|boilerplate)\//i.test(filePath);
         // Skip rate-limit rules when the file installs a global rate limiter via app.use().
         // Covers `app.use(rateLimit({...}))`, `app.use(limiter)`, `app.use('/api', rateLimit({...}))`,
         // and named middleware vars matching limiter naming conventions.
@@ -490,6 +497,19 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         // request handler to authorize. Rule still fires inside route handlers and Server Actions.
         if (rule.id === "VG1008" && isBatchScriptFile)
             continue;
+        // Skip VG124 (Insecure Random for Security Token) in benchmark/seed/script files —
+        // Math.random() in benchmarks (`keys[Math.floor(Math.random() * keys.length)]` to pick
+        // a random test key) and seeders (`storeEncryptedKeys: Math.random() > 0.7` for fixture
+        // distribution) is intentional fixture randomness, not a security token. Real tokens
+        // generated in scripts should still use crypto.randomBytes — but the rule's keyword list
+        // (`token|key|code|...`) over-matches non-security `key` references in test code.
+        if (rule.id === "VG124" && isBatchScriptFile)
+            continue;
+        // Skip tRPC educational/scaffold rules (VG970 publicProcedure-DB, VG971 missing-input)
+        // in template/scaffold files. CLI tools like create-t3-app ship intentionally simple
+        // examples under cli/template/ that the user is expected to replace before deploying.
+        if ((rule.id === "VG970" || rule.id === "VG971") && isTemplateFile)
+            continue;
         // Skip VG961 (z.any/z.unknown) in batch scripts and cron routes — `data: z.any()` and
         // similar opaque fields in migration/seed scripts and cron job payloads are intentional
         // passthroughs (e.g. Tinybird `tb.buildPipe({ parameters: ..., data: z.any() })`),
@@ -842,6 +862,23 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (/\b\w*Ref\.current\b/.test(matchedLine))
                     continue;
             }
+            // VG1021 (AI Tool Schema Enum from User Input): skip when the variable passed to
+            // z.enum / "enum": is declared as a static literal array (`const X = [...] as const`,
+            // `const X = [...]`) elsewhere in the file. The existing pattern's lowercase-identifier
+            // heuristic correctly catches `userActions` style variables, but Zod's idiomatic pattern
+            // `const commonStringOperators = ["is", "contains"] as const; z.enum(commonStringOperators)`
+            // also has a lowercase-start name and is fully compile-time-static.
+            if (rule.id === "VG1021") {
+                const varMatch = match[0].match(/(?:z\.enum\s*\(\s*(?:\.\.\.)?|enum["']\s*:\s*)([a-z_$][\w$]*)/);
+                if (varMatch) {
+                    const varName = varMatch[1];
+                    // Detect: `const NAME = [` (literal array) or `const NAME: SomeType = [`. The array
+                    // can span multiple lines so just check for the `[` on the assignment.
+                    const declRe = new RegExp(`(?:const|let|var)\\s+${varName}\\s*(?::\\s*[\\w<>[\\],\\s|.]+)?\\s*=\\s*\\[`);
+                    if (declRe.test(code))
+                        continue;
+                }
+            }
             // VG850 (AI Prompt Injection via User Input): only fire when at least one of the
             // interpolations in the system-prompt template literal looks like user input. The
             // pattern matches any `${...}` interpolation, but apps commonly compose system

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.19",
+  "version": "3.1.21",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",