guardvibe 3.1.38 → 3.1.39

package/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.1.39] - 2026-06-07
+
+### Added — SSRF taint detection + taint-engine precision (no rule-count change, 438 / 36)
+- **SSRF taint sink** — user input flowing into the URL of an outbound request (fetch/axios/got/http.request) is now detected on the check path and in the audit. It is **host-position-aware**: only a tainted host is flagged, so a tainted path/query on a fixed host (`fetch(`${BASE}/api?${q}`)`), a tainted POST body, a same-origin relative URL, or a `new URL(path, base)` with a fixed base are NOT false-positived. Client components, test files, and SSRF-validated code are skipped. Validated against the corpus: 1 hit, a real SSRF, with zero false positives — far more precise than a plain `fetch(variable)` regex.
+- **Minified/generated bundles are skipped for taint** (shared `looksMinified` heuristic), removing a false-positive class where mangled `e`/`t` parameters in bundles masquerade as taint sources.
+- **Cross-file taint** now also detects command injection (`exec`/`execSync` via an imported helper), matching the per-file analyzer.
+- The audit's secret section now skips test fixtures (matching the check path), so fake keys in `*.spec`/test files no longer surface as findings.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.1.38] - 2026-06-07
 
 ### Fixed — false-positive precision, verified one rule at a time (no rule-count change, 438 / 36)

package/build/tools/cross-file-taint.js

@@ -226,6 +226,8 @@ function parseExports(file, content) {
 function extractFunctions(file, content) {
     const functions = [];
     const lines = content.split("\n");
+    // guardvibe-ignore VG011 — these are function-detection regex literals (this file defines
+    // analysis patterns, not vulnerable code); the `WORD = /...\(/` shape self-matches VG011.
     const funcPattern = /(?:export\s+(?:default\s+)?)?(?:async\s+)?function\s+([\w$]+)\s*\(([^)]*)\)/;
     const arrowPattern = /(?:export\s+)?(?:const|let|var)\s+([\w$]+)\s*=\s*(?:async\s+)?(?:\(([^)]*)\)\s*=>|\([^)]*\)\s*:\s*\w+\s*=>|function\s*\(([^)]*)\))/;
     for (let i = 0; i < lines.length; i++) {
@@ -279,6 +281,10 @@ const SINK_PATTERNS = [
     { pattern: /new\s+Function\s*\(/g, type: "code-injection" },
     { pattern: /writeFileSync?\s*\(/g, type: "path-traversal" },
     { pattern: /readFileSync?\s*\(/g, type: "path-traversal" },
+    // Bare child_process exec()/execSync() (shell-invoking). Lookbehind excludes method
+    // calls like regex.exec()/db.execSync(). Mirrors the per-file taint sink so cross-file
+    // command injection (input flows through an imported helper into exec) is caught too.
+    { pattern: /(?<!\.)\bexec(?:Sync)?\s*\(/g, type: "command-injection" },
 ];
 // Patterns that break the taint chain (validation/sanitization)
 const SANITIZER_PATTERNS = [
@@ -595,7 +601,7 @@ function extractCallArgs(line, funcName) {
     return args;
 }
 function deriveSeverity(sinkType) {
-    if (sinkType === "code-injection" || sinkType === "sql-injection")
+    if (sinkType === "code-injection" || sinkType === "sql-injection" || sinkType === "command-injection")
         return "critical";
     if (sinkType === "xss" || sinkType === "path-traversal")
         return "high";
@@ -606,6 +612,7 @@ function getSinkFix(sinkType) {
     const fixes = {
         "sql-injection": "Use parameterized queries instead of string interpolation.",
         "code-injection": "Never pass user input to eval() or Function constructor.",
+        "command-injection": "Use execFile()/spawn() with an argument array (no shell) and validate input against an allowlist.",
         "xss": "Use textContent instead of innerHTML, or sanitize with DOMPurify.",
         "open-redirect": "Validate redirect URLs against a trusted domain allowlist.",
         "path-traversal": "Validate file paths with path.resolve() and check they stay within allowed directories.",

package/build/tools/file-security.js

@@ -24,7 +24,7 @@ import { basename } from "path";
 import { analyzeCode } from "./check-code.js";
 import { analyzeTaint } from "./taint-analysis.js";
 import { scanContent } from "./scan-secrets.js";
-import { isExcludedFilename } from "../utils/constants.js";
+import { isExcludedFilename, looksMinified } from "../utils/constants.js";
 const TAINT_OWASP = {
     "sql-injection": "A03:2021 Injection",
     "command-injection": "A03:2021 Injection",
@@ -32,6 +32,7 @@ const TAINT_OWASP = {
     "xss": "A03:2021 Injection",
     "open-redirect": "A01:2021 Broken Access Control",
     "path-traversal": "A01:2021 Broken Access Control",
+    "ssrf": "A10:2021 Server-Side Request Forgery",
 };
 // Regex VG rules that already represent the same vuln class as a taint sink type.
 // When one fires on the exact sink line, the taint finding is redundant — drop it.
@@ -42,6 +43,7 @@ const TAINT_REGEX_OVERLAP = {
     "xss": new Set(["VG012", "VG408", "VG852", "VG1080", "VG1084"]),
     "open-redirect": new Set(["VG101", "VG409", "VG425", "VG660"]),
     "path-traversal": new Set(["VG102"]),
+    "ssrf": new Set(["VG120"]),
 };
 // Regex rules that already report a hardcoded secret; drop a secret-pattern hit on the
 // same line as one of these to avoid double-reporting.
@@ -53,26 +55,6 @@ const TEST_FILE_RE = /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|j
 // Synthetic regex that never matches — synthetic rules are only ever attached to
 // pre-computed findings, never run against source.
 const NEVER_MATCH = /(?!)/;
-// Minified bundles pack everything onto a few enormous lines; mangled `e`/`t` params
-// then masquerade as taint sources (`e.target.value`) feeding innerHTML sinks — a pure
-// FP class. The audit excludes these from taint via collectJsFiles+isExcludedFilename;
-// the check path mirrors that with a name pattern plus a content fallback for bundles
-// that aren't named `.min.js`.
-function looksMinified(code) {
-    if (code.length < 5000)
-        return false;
-    let lineLen = 0;
-    for (let i = 0; i < code.length; i++) {
-        if (code[i] === "\n") {
-            if (lineLen > 1000)
-                return true;
-            lineLen = 0;
-        }
-        else
-            lineLen++;
-    }
-    return lineLen > 1000;
-}
 function taintToFinding(t) {
     const rule = {
         id: `TAINT:${t.sink.type}`,

package/build/tools/full-audit.js

@@ -195,9 +195,12 @@ export async function runFullAudit(path, options) {
             const secretsJson = scanSecrets(projectRoot, true, "json");
             const parsed = safeJsonParse(secretsJson);
             if (parsed) {
-                // Filter out gitignored secrets — they're local dev files, not a security risk
+                // Filter out gitignored secrets — they're local dev files, not a security risk —
+                // and secrets in test fixtures, which carry fake keys by design (e.g. a test PEM in
+                // a *.spec.ts crypto test). Mirrors the check path's file-security test-file skip.
+                const isTestSecretFile = (f) => /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|_test\.go$|\/__tests__\/|\/__mocks__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/dockertest\/|\/testutil\/|\/testhelpers?\/|\/testfixtures?\/|\/fixtures?\/)/i.test(f);
                 const rawFindings = parsed.findings ?? [];
-                const actionableFindings = rawFindings.filter((f) => f.gitStatus !== "ignored");
+                const actionableFindings = rawFindings.filter((f) => f.gitStatus !== "ignored" && !isTestSecretFile((f.file ?? "")));
                 const ignoredCount = rawFindings.length - actionableFindings.length;
                 const actionableCritical = actionableFindings.filter((f) => f.severity === "critical").length;
                 const actionableHigh = actionableFindings.filter((f) => f.severity === "high").length;

package/build/tools/taint-analysis.js

@@ -4,6 +4,7 @@
  * Not a full AST/CFG analysis, but follows variable assignments through lines.
  */
 import { isRuleDefinitionFile } from "./check-code.js";
+import { looksMinified } from "../utils/constants.js";
 // User input sources (tainted data entry points)
 const TAINT_SOURCES = [
     { pattern: /(?:req|request)\.(?:body|query|params|headers|cookies)\b/g, type: "http-input" },
@@ -84,6 +85,10 @@ function isSafeParameterizedSqlSink(lines, sinkIdx) {
     const interps = tpl.match(/\$\{[^}]*\}/g) || [];
     return interps.every(s => /\$\{\s*[\w$.]*(?:hash|sha\d*|md5|bcrypt|argon2?|hmac|digest|encode|escape|encodeURIComponent|toString|String|Number|parseInt|parseFloat)\b/i.test(s));
 }
+// Outbound-request calls whose FIRST argument is the URL. The capture group grabs the
+// first argument (up to the first top-level comma) so SSRF detection can scope to the URL
+// position only. Covers fetch, axios.*, got.*, http(s).get/request, superagent.*.
+const SSRF_CALL = /\b(?:fetch|axios(?:\.(?:get|post|put|delete|patch|head|request))?|got(?:\.(?:get|post|put|delete|patch|head))?|https?\.(?:get|request)|superagent\.(?:get|post|del|put))\s*\(\s*([^,)]+)/g;
 /**
  * A `redirect(...)` whose target is a root-relative, same-origin path
  * (e.g. redirect("/login") or redirect(`/${slug}/settings`)) cannot be an open
@@ -155,6 +160,9 @@ export function analyzeTaint(code, language, filePath) {
     // code snippets in pattern regexes, fixCode strings, and exploit examples.
     if (isRuleDefinitionFile(code, filePath))
         return [];
+    // Skip minified/generated bundles — mangled `e`/`t` params masquerade as taint sources.
+    if (looksMinified(code))
+        return [];
     const lines = code.split("\n");
     const findings = [];
     const assignments = extractAssignments(lines);
@@ -221,6 +229,77 @@ export function analyzeTaint(code, language, filePath) {
             }
         }
     }
+    // SSRF: a tainted value used as the HOST of the URL (FIRST argument) of an outbound
+    // request. Scoped to the first arg so a tainted POST *body* (axios.post(url, body)) is
+    // not a false positive, and to the host region so a tainted path/query on a FIXED host
+    // (`fetch(`${WEBAPP_URL}/api?${q}`)`) is not flagged — only an attacker-controlled host
+    // can reach internal services. Root-relative URLs stay same-origin and are excluded.
+    // Client components (browser fetch ≠ SSRF) and test files are skipped. This is far more
+    // precise than the VG120 regex, which flags any fetch(variable).
+    const isClientComponent = /^\s*['"]use client['"]/m.test(code.slice(0, 400));
+    const isTestPath = filePath ? /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.[cm]?[jt]sx?$|_test\.go$|\/__tests__\/|\/__mocks__\/|\/tests?\/|\/cypress\/|\/playwright\/|\/fixtures?\/)/i.test(filePath) : false;
+    // SSRF-validated files (allowlist / private-IP block / SSRF-specific validators) are
+    // treated as protected — the user URL is checked before the request.
+    const hasSsrfGuard = /\b(?:validateUrlForSSRF|isTrustedInternalUrl|isAllowedUrl|assertSafeUrl|ssrfFilter|blockPrivateIp|isPublicUrl)\b/i.test(code);
+    const escapeRe = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+    if (!isClientComponent && !isTestPath && !hasSsrfGuard)
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            SSRF_CALL.lastIndex = 0;
+            let m;
+            while ((m = SSRF_CALL.exec(line)) !== null) {
+                const urlArg = m[1].trim();
+                // Same-origin root-relative target (fetch("/api/x"), fetch(`/api/${id}`)) is not SSRF.
+                if (/^["'`]\/(?!\/)/.test(urlArg))
+                    continue;
+                // Host region: strip a leading quote/backtick and scheme, then take up to the first
+                // path/query separator. Only a tainted value HERE (the host) is SSRF.
+                const stripped = urlArg.replace(/^[`'"]/, "");
+                const hasScheme = /^https?:\/\//i.test(stripped);
+                const host = stripped.replace(/^https?:\/\//i, "").split(/[/?#`'"]/)[0];
+                let srcType = null;
+                let srcVar = "(inline)";
+                let direct = false;
+                // Word-boundary match so a tainted `req` does not match the substring of `request`.
+                const tv = taintedVars.find(v => new RegExp(`\\b${escapeRe(v.name)}\\b`).test(host));
+                if (tv) {
+                    srcType = tv.sourceType ?? "propagated";
+                    srcVar = tv.name;
+                    direct = srcType !== "propagated" && srcType !== "return-propagated";
+                }
+                if (!srcType) {
+                    for (const source of TAINT_SOURCES) {
+                        source.pattern.lastIndex = 0;
+                        if (source.pattern.test(host)) {
+                            srcType = source.type;
+                            direct = true;
+                            break;
+                        }
+                    }
+                }
+                if (!srcType)
+                    continue;
+                // A no-scheme host (bare var or `${x}/...`) is only SSRF when the value is the WHOLE
+                // user-controlled URL (a direct source) — a propagated var may be a relative/fixed
+                // path. A scheme-prefixed external URL with a tainted host is always SSRF.
+                if (!hasScheme && !direct)
+                    continue;
+                // `new URL(path, base)` resolves its host from the 2nd argument (base). When the var
+                // was built that way, the tainted part is only the path — the host is the fixed base.
+                if (tv && srcType === "url-input" && /new\s+URL\s*\([^;\n]*,/.test(lines[tv.line - 1] ?? ""))
+                    continue;
+                if (findings.some(f => f.sink.line === i + 1 && f.sink.type === "ssrf"))
+                    continue;
+                findings.push({
+                    source: { type: srcType, line: tv ? tv.line : i + 1, variable: srcVar },
+                    sink: { type: "ssrf", line: i + 1, code: line.trim().substring(0, 100) },
+                    chain: [`[SOURCE] ${srcType} -> URL`, `[SINK] ssrf (line ${i + 1})`],
+                    severity: "high",
+                    description: "User input flows into the URL of a server-side request, enabling SSRF (internal services, cloud metadata at 169.254.169.254).",
+                    fix: "Validate the URL against an allowlist of trusted hosts and block private/internal IP ranges before making the request.",
+                });
+            }
+        }
     return findings;
 }
 export function formatTaintFindings(findings, format) {

package/build/utils/constants.d.ts

@@ -11,3 +11,9 @@ export declare const DEFAULT_EXCLUDES: Set<string>;
 /** File-name patterns excluded from scans — minified bundles, vendor libs, generated artifacts. */
 export declare const DEFAULT_FILE_PATTERN_EXCLUDES: RegExp[];
 export declare function isExcludedFilename(name: string): boolean;
+/**
+ * Heuristic: does this source look like a minified/generated bundle? Such files pack
+ * everything onto a few enormous lines, and their mangled `e`/`t` params masquerade as
+ * taint sources — a pure false-positive class. Detect by a very long single line.
+ */
+export declare function looksMinified(code: string): boolean;

package/build/utils/constants.js

@@ -44,3 +44,23 @@ export const DEFAULT_FILE_PATTERN_EXCLUDES = [
 export function isExcludedFilename(name) {
     return DEFAULT_FILE_PATTERN_EXCLUDES.some((pattern) => pattern.test(name));
 }
+/**
+ * Heuristic: does this source look like a minified/generated bundle? Such files pack
+ * everything onto a few enormous lines, and their mangled `e`/`t` params masquerade as
+ * taint sources — a pure false-positive class. Detect by a very long single line.
+ */
+export function looksMinified(code) {
+    if (code.length < 5000)
+        return false;
+    let lineLen = 0;
+    for (let i = 0; i < code.length; i++) {
+        if (code[i] === "\n") {
+            if (lineLen > 1000)
+                return true;
+            lineLen = 0;
+        }
+        else
+            lineLen++;
+    }
+    return lineLen > 1000;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.38",
+  "version": "3.1.39",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 438 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 67 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",