guardvibe 3.1.4 → 3.1.6

package/build/data/rules/advanced-security.js

@@ -47,7 +47,11 @@ export const advancedSecurityRules = [
         severity: "high",
         owasp: "A04:2025 Insecure Design",
         description: "Code reads a value, checks a condition, then updates based on the check — without a database transaction. Two concurrent requests can both pass the check before either writes, leading to double-spending, overselling, or duplicate operations.",
-        pattern: /(?:findUnique|findFirst|findOne|findById)\s*\([\s\S]{0,200}?\)\s*;?\s*\n[\s\S]{0,300}?if\s*\([\s\S]{0,200}?\)\s*\{[\s\S]{0,500}?(?:\.update\s*\(|\.delete\s*\(|\.decrement|\.increment)(?:(?!\$transaction|\.transaction|BEGIN|SERIALIZABLE|FOR UPDATE|NOWAIT)[\s\S]){0,300}?\}/g,
+        // Negative lookahead at the start of the if-body skips the 404-mapping shape
+        // (`if (!x) { return …; }`). Without it, the engine's backtracking matched updates
+        // that lived OUTSIDE the if-block (within 500-char window after the brace), making
+        // every `findUnique → if(!x) 404 → update` admin route a false hit.
+        pattern: /(?:findUnique|findFirst|findOne|findById)\s*\([\s\S]{0,200}?\)\s*;?\s*\n[\s\S]{0,300}?if\s*\([\s\S]{0,200}?\)\s*\{(?!\s*(?:return\b|throw\b|res\.\w+\(|response\.\w+\(|next\.\w+\(|NextResponse\.))[\s\S]{0,500}?(?:\.update\s*\(|\.delete\s*\(|\.decrement|\.increment)(?:(?!\$transaction|\.transaction|BEGIN|SERIALIZABLE|FOR UPDATE|NOWAIT)[\s\S]){0,300}?\}/g,
         languages: ["javascript", "typescript"],
         fix: "Wrap check-then-act sequences in a database transaction, or use atomic operations (e.g., UPDATE WHERE balance >= amount).",
         fixCode: '// BAD: race condition\nconst account = await db.account.findUnique({ where: { id } });\nif (account.balance >= 100) {\n  await db.account.update({ where: { id }, data: { balance: { decrement: 100 } } });\n}\n\n// GOOD: atomic transaction\nawait db.$transaction(async (tx) => {\n  const account = await tx.account.findUnique({ where: { id } });\n  if (account.balance < 100) throw new Error("Insufficient");\n  await tx.account.update({ where: { id }, data: { balance: { decrement: 100 } } });\n});',

package/build/data/rules/ai-tool-runtime.js

@@ -96,7 +96,12 @@ export const aiToolRuntimeRules = [
         severity: "high",
         owasp: "A05:2025 Security Misconfiguration",
         description: "AI tool / MCP tool parameter schema (`z.enum(...)`, JSON Schema `enum`) is constructed at runtime from user input, fetched data, or a mutable variable. Runtime-mutable schemas defeat the safety guarantees the LLM relies on — an attacker can widen the accepted enum set or inject schema fields by poisoning the input.",
-        pattern: /(?:z\.enum\s*\(\s*(?!\[\s*["'])(?:[a-zA-Z_$][\w$]*|\.\.\.\w+)|["']enum["']\s*:\s*(?!\[\s*(?:["']|true|false|null|\d))(?:[a-zA-Z_$][\w$]*\b|`[^`]*\$\{))/g,
+        // Lowercase-start identifier required: PascalCase (`FraudAlertStatus`) and SCREAMING_SNAKE
+        // (`STATUSES`) are TypeScript enum imports / module-level const arrays — compile-time
+        // static, not user-mutable. Real attack shape uses lowercase variable names
+        // (`allowedActions`, `userActions`, `...userInput`). Template-literal interpolation in
+        // the JSON-schema branch (`enum: \`...${x}...\``) stays matched — that IS a real risk.
+        pattern: /(?:z\.enum\s*\(\s*(?!\[\s*["'])(?:[a-z_$][\w$]*|\.\.\.[a-z_$]\w*)|["']enum["']\s*:\s*(?!\[\s*(?:["']|true|false|null|\d))(?:[a-z_$][\w$]*\b|`[^`]*\$\{))/g,
         languages: ["javascript", "typescript"],
         fix: "Define enum values as static literal arrays in source. Never compute schema enums from runtime data.",
         fixCode: '// SAFE:\nparameters: z.object({\n  action: z.enum(["read", "list"]),\n})\n\n// UNSAFE — user controls allowed actions:\n// parameters: z.object({ action: z.enum(allowedActions) })',

package/build/tools/check-code.js

@@ -351,7 +351,32 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
         const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678"].includes(rule.id))
+        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021"].includes(rule.id))
+            continue;
+        // VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
+        // surfaces — API routes, App Router `route.{ts,tsx}`, pages/api, or Server Actions.
+        // Library helpers, getStaticProps, internal _utils, and lib/handler test fixtures
+        // also use `findMany` but aren't list endpoints serving paginated client requests.
+        if (rule.id === "VG955" && filePath) {
+            const isRouteFile = /(?:\/api\/|\/route\.(?:ts|tsx|js|jsx)$|\/pages\/api\/|\/app\/api\/)/.test(filePath);
+            const isServerAction = /^\s*['"]use server['"];?\s*$/m.test(code.slice(0, 500));
+            const isStaticBuildHelper = /(?:getStaticProps|getStaticPaths|generateStaticParams|buildLegacy|getServerSideProps)/.test(filePath);
+            if (!isRouteFile && !isServerAction)
+                continue;
+            if (isStaticBuildHelper)
+                continue;
+        }
+        // VG506 (Hardcoded Secret in Vercel Config): the rule's intent is `vercel.json`
+        // specifically — its `_KEY`/`_SECRET`/`_TOKEN` regex unintentionally matched
+        // translation values in i18n locale JSONs (`packages/i18n/locales/da/common.json`
+        // etc. with strings like "user_secret_phrase": "<long Danish text>"). Restrict to
+        // actual Vercel config files.
+        if (rule.id === "VG506" && filePath && !/(?:^|\/)vercel\.json$/.test(filePath))
+            continue;
+        // VG041 (Debug mode in production): playground/demo/example paths are explicitly
+        // debug-mode showcases — `DEBUG = true` is the entire point of the file. Skip
+        // those paths to avoid swamping the report.
+        if (rule.id === "VG041" && filePath && /\/(?:playground|demos?|examples?|sandbox)\//i.test(filePath))
             continue;
         // Skip Expo-specific rule (VG708) when project is not an Expo app.
         // The rule's regex incorrectly matches the literal strings "app.json"/"app.config.ts"
@@ -841,6 +866,8 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 const matched = match[0];
                 if (/\bin\s*:\s*\[/i.test(matched))
                     continue; // where: { x: { in: [...] } }
+                if (/\bin\s*:\s*[a-zA-Z_$]/i.test(matched))
+                    continue; // where: { x: { in: someArray } } — variable-spread is also caller-bounded
                 if (/\b(?:id|[a-zA-Z]+Id)\s*:\s*\{?\s*in\s*:/i.test(matched))
                     continue; // where: { partnerId: { in: ids } }
                 if (/\b(?:id|[a-zA-Z]+Id)\s*:\s*[a-zA-Z_$]/i.test(matched))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.4",
+  "version": "3.1.6",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",