guardvibe 3.1.6 → 3.1.8

package/build/tools/check-code.js

@@ -351,7 +351,7 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
         //   agent.get('/?q=' + sqlPayload) which match the regex but aren't database calls
         // - VG042/VG678: HTTP-response/security-header rules (tests don't serve to real users)
         const isTestFile = filePath && /(?:\.(?:[\w-]+-)?(?:spec|test|e2e|stories|cy)\.(?:ts|tsx|js|jsx|mjs|cjs)$|\/__tests__\/|\/tests?\/|\/cypress\/|\/playwright\/)/i.test(filePath);
-        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021"].includes(rule.id))
+        if (isTestFile && ["VG001", "VG062", "VG010", "VG011", "VG013", "VG014", "VG042", "VG130", "VG678", "VG955", "VG133", "VG1021", "VG409"].includes(rule.id))
             continue;
         // VG955 (Missing Pagination on List Endpoint): only fire on actual request-handling
         // surfaces — API routes, App Router `route.{ts,tsx}`, pages/api, or Server Actions.
@@ -721,6 +721,20 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 if (dockerStageAliases.has(target))
                     continue;
             }
+            // VG409 (Open Redirect via User Input): the rule's pattern matches based on the
+            // variable name (`redirectUrl`, `returnTo`, `callbackUrl`, `next`, etc.) regardless
+            // of how the variable was assigned. Skip when the variable is assigned to a string
+            // literal in the same file with no template-literal interpolation — that's a
+            // hardcoded redirect target, not user input.
+            if (rule.id === "VG409") {
+                const varMatch = match[0].match(/\(\s*(\w+)/);
+                if (varMatch) {
+                    const varName = varMatch[1];
+                    const literalAssign = new RegExp(`\\b(?:const|let|var)\\s+${varName}\\s*(?::\\s*[\\w<>\\[\\],\\s]+\\s*)?=\\s*(?:"[^"]*"|'[^']*'|\`[^\`$]*\`)\\s*;?`);
+                    if (literalAssign.test(code))
+                        continue;
+                }
+            }
             // Skip matches on comment lines and inside string literals.
             // CVE version-pin rules (VG900-VG931) are exempt — they scan package.json
             // dependency declarations where these contexts don't apply.

package/build/tools/full-audit.js

@@ -17,6 +17,7 @@ import { analyzeCrossFileTaint } from "./cross-file-taint.js";
 import { analyzeAuthCoverage } from "./auth-coverage.js";
 import { getRules } from "../utils/rule-registry.js";
 import { loadConfig } from "../utils/config.js";
+import { isExcludedFilename } from "../utils/constants.js";
 // --- Core Logic ---
 /**
  * Compute verdict: PASS (0 critical + 0 high), WARN (high > 0), FAIL (critical > 0)
@@ -103,6 +104,8 @@ function collectJsFiles(dir, maxFiles = 200) {
             }
             if (!/\.(ts|tsx|js|jsx|mts|cts)$/.test(entry))
                 continue;
+            if (isExcludedFilename(entry))
+                continue;
             if (stat.size > 100_000)
                 continue;
             try {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.6",
+  "version": "3.1.8",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",