guardvibe 3.1.21 → 3.1.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +13 -1
- package/package.json +1 -1
|
@@ -369,7 +369,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
369
369
|
// - VG010/VG011/VG013/VG014: injection rules trigger on payload strings like
|
|
370
370
|
// agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
|
|
371
371
|
// - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
|
|
372
|
-
const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|_test\.go$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/dockertest\/|\/testutil\/|\/testhelpers?\/|\/testfixtures?\/)/i.test(filePath);
|
|
372
|
+
const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|_test\.go$|\/__tests__\/|\/__mocks__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/dockertest\/|\/testutil\/|\/testhelpers?\/|\/testfixtures?\/)/i.test(filePath);
|
|
373
373
|
if (isTestFile && ["VG001", "VG003", "VG062", "VG010", "VG011", "VG012", "VG013", "VG014", "VG042", "VG100", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
|
|
374
374
|
continue;
|
|
375
375
|
// VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
|
|
@@ -878,6 +878,18 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
878
878
|
if (declRe.test(code))
|
|
879
879
|
continue;
|
|
880
880
|
}
|
|
881
|
+
// Property-access shapes that defeat single-identifier matching:
|
|
882
|
+
// - `z.enum(table.column.enumValues)` (Drizzle) — column.enumValues is a literal
|
|
883
|
+
// array stamped into the schema at compile time, not user-mutable
|
|
884
|
+
// - `z.enum(filterConfig.field.operators)` (TS `as const` config object) — when
|
|
885
|
+
// the file has any `as const` cast, treat nested property access as static
|
|
886
|
+
const matchedLine = lines[lineNumber - 1] ?? "";
|
|
887
|
+
if (/z\.enum\s*\(\s*[\w$]+(?:\.[\w$]+)+/.test(matchedLine)) {
|
|
888
|
+
if (/\.enumValues\b/.test(matchedLine))
|
|
889
|
+
continue;
|
|
890
|
+
if (/\bas\s+const\b/.test(code))
|
|
891
|
+
continue;
|
|
892
|
+
}
|
|
881
893
|
}
|
|
882
894
|
// VG850 (AI Prompt Injection via User Input): only fire when at least one of the
|
|
883
895
|
// interpolations in the system-prompt template literal looks like user input. The
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.1.
|
|
3
|
+
"version": "3.1.22",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|