guardvibe 3.1.5 → 3.1.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/tools/check-code.js +40 -1
- package/package.json +1 -1
|
@@ -351,7 +351,32 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
351
351
|
// agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
|
|
352
352
|
// - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
|
|
353
353
|
const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
|
|
354
|
-
if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678"].includes(rule.id))
|
|
354
|
+
if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
|
|
355
|
+
continue;
|
|
356
|
+
// VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
|
|
357
|
+
// surfaces — API routes, App Router `route.{ts,tsx}`, pages/api, or Server Actions.
|
|
358
|
+
// Library helpers, getStaticProps, internal _utils, and lib/handler test fixtures
|
|
359
|
+
// also use `findMany` but aren't list endpoints serving paginated client requests.
|
|
360
|
+
if (rule.id === "VG955" && filePath) {
|
|
361
|
+
const isRouteFile = /(?:\/api\/|\/route\.(?:ts|tsx|js|jsx)$|\/pages\/api\/|\/app\/api\/)/.test(filePath);
|
|
362
|
+
const isServerAction = /^\s*['"]use server['"];?\s*$/m.test(code.slice(0, 500));
|
|
363
|
+
const isStaticBuildHelper = /(?:getStaticProps|getStaticPaths|generateStaticParams|buildLegacy|getServerSideProps)/.test(filePath);
|
|
364
|
+
if (!isRouteFile && !isServerAction)
|
|
365
|
+
continue;
|
|
366
|
+
if (isStaticBuildHelper)
|
|
367
|
+
continue;
|
|
368
|
+
}
|
|
369
|
+
// VG506 (Hardcoded Secret in Vercel Config): the rule's intent is `vercel.json`
|
|
370
|
+
// specifically — its `_KEY`/`_SECRET`/`_TOKEN` regex unintentionally matched
|
|
371
|
+
// translation values in i18n locale JSONs (`packages/i18n/locales/da/common.json`
|
|
372
|
+
// etc. with strings like "user_secret_phrase": "<long Danish text>"). Restrict to
|
|
373
|
+
// actual Vercel config files.
|
|
374
|
+
if (rule.id === "VG506" && filePath && !/(?:^|\/)vercel\.json$/.test(filePath))
|
|
375
|
+
continue;
|
|
376
|
+
// VG041 (Debug mode in production): playground/demo/example paths are explicitly
|
|
377
|
+
// debug-mode showcases — `DEBUG = true` is the entire point of the file. Skip
|
|
378
|
+
// those paths to avoid swamping the report.
|
|
379
|
+
if (rule.id === "VG041" && filePath && /\/(?:playground|demos?|examples?|sandbox)\//i.test(filePath))
|
|
355
380
|
continue;
|
|
356
381
|
// Skip Expo-specific rule (VG708) when project is not an Expo app.
|
|
357
382
|
// The rule's regex incorrectly matches the literal strings "app.json"/"app.config.ts"
|
|
@@ -696,6 +721,20 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
696
721
|
if (dockerStageAliases.has(target))
|
|
697
722
|
continue;
|
|
698
723
|
}
|
|
724
|
+
// VG409 (Open Redirect via User Input): the rule's pattern matches based on the
|
|
725
|
+
// variable name (`redirectUrl`, `returnTo`, `callbackUrl`, `next`, etc.) regardless
|
|
726
|
+
// of how the variable was assigned. Skip when the variable is assigned to a string
|
|
727
|
+
// literal in the same file with no template-literal interpolation — that's a
|
|
728
|
+
// hardcoded redirect target, not user input.
|
|
729
|
+
if (rule.id === "VG409") {
|
|
730
|
+
const varMatch = match[0].match(/\(\s*(\w+)/);
|
|
731
|
+
if (varMatch) {
|
|
732
|
+
const varName = varMatch[1];
|
|
733
|
+
const literalAssign = new RegExp(`\\b(?:const|let|var)\\s+${varName}\\s*(?::\\s*[\\w<>\\[\\],\\s]+\\s*)?=\\s*(?:"[^"]*"|'[^']*'|\`[^\`$]*\`)\\s*;?`);
|
|
734
|
+
if (literalAssign.test(code))
|
|
735
|
+
continue;
|
|
736
|
+
}
|
|
737
|
+
}
|
|
699
738
|
// Skip matches on comment lines and inside string literals.
|
|
700
739
|
// CVE version-pin rules (VG900-VG931) are exempt — they scan package.json
|
|
701
740
|
// dependency declarations where these contexts don't apply.
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "3.1.
|
|
3
|
+
"version": "3.1.7",
|
|
4
4
|
"mcpName": "io.github.goklab/guardvibe",
|
|
5
5
|
"description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
|
|
6
6
|
"type": "module",
|