npm - guardvibe - Versions diffs - 3.1.8 → 3.1.10 - Mend

guardvibe 3.1.8 → 3.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/tools/auth-coverage.js +13 -4
package/build/tools/check-code.js +28 -3
package/package.json +1 -1

package/build/tools/auth-coverage.js CHANGED Viewed

@@ -9,9 +9,13 @@ const HTTP_METHODS = ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS"
  * route groups, and file name.
  */
 function filePathToUrlPath(filePath) {
-    let p = filePath
-        .replace(/^src\/app\//, "")
-        .replace(/^app\//, "");
+    // Strip everything up to and including the Next.js app directory.
+    // Covers: app/..., src/app/..., apps/<workspace>/app/..., apps/<workspace>/src/app/...,
+    // packages/<name>/app/... — common monorepo (Turborepo/pnpm) layouts where the
+    // route file lives under a workspace prefix that is not part of the URL.
+    let p = filePath.replace(/^.*?\/(?:src\/)?app\//, "");
+    // Fallback for simple non-monorepo paths.
+    p = p.replace(/^src\/app\//, "").replace(/^app\//, "");
     // Remove file name (route.ts, page.tsx, layout.tsx)
     p = p.replace(/\/(route|page|layout)\.(ts|tsx|js|jsx)$/, "");
     // Remove route groups: (groupName)
@@ -80,7 +84,12 @@ export function enumerateRoutes(files) {
  */
 export function parseMiddlewareMatchers(content) {
     // Normalize literal escape sequences that AI assistants may pass
-    const normalized = content.replace(/\\n/g, "\n").replace(/\\t/g, "\t");
+    let normalized = content.replace(/\\n/g, "\n").replace(/\\t/g, "\t");
+    // Strip block + line comments before pulling the matcher array. Real-world
+    // middleware files carry JSDoc-style notes inline (dub's matcher block has
+    // four bullet points); split-on-comma was swallowing those bullets into the
+    // matcher list, breaking every downstream regex test.
+    normalized = normalized.replace(/\/\*[\s\S]*?\*\//g, "").replace(/\/\/.*$/gm, "");
     const stringMatch = /matcher\s*:\s*"([^"]+)"/.exec(normalized);
     if (stringMatch)
         return [stringMatch[1]];

package/build/tools/check-code.js CHANGED Viewed

@@ -775,6 +775,11 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 // (`forgot_password: "forgot_password_clicked"`).
                 if (filePath && /(?:\/i18n\/|\/locales?\/|\/translations?\/|\/event[-_]tracker\/|\/analytics\/events\/|\/messages\/[a-z]{2}(?:[-_][A-Z]{2})?\.[jt]sx?$)/i.test(filePath))
                     continue;
+                // Seed scripts and shared test-fixture builders deliberately use placeholder
+                // credentials (`password: "delete-me"`, `password: "MOCK_PASSWORD"`). These
+                // populate dev/CI databases and never run against production.
+                if (filePath && /(?:^|\/)(?:scripts|seeds?|fixtures?|__fixtures__|bookingScenario|setupAndTeardown)\b|(?:^|\/)seed[-_.][\w-]*\.[jt]sx?$/i.test(filePath))
+                    continue;
             }
             // Skip credential rules when the variable name signals test/example/mock intent.
             // e.g. `testingPassword`, `examplePassword`, `mockApiKey`, `placeholderSecret`.
@@ -787,6 +792,16 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 // Covers both SCREAMING_SNAKE (TS string enums) and snake_case (event-tracker key maps).
                 if (/\b([A-Za-z_][A-Za-z0-9_]*)\s*[:=]\s*["']\1["']/.test(matchedLine))
                     continue;
+                // Skip when the value is just a re-casing of the identifier — covers
+                // `IncorrectEmailPassword = "incorrect-email-password"` (TS string enum kebab) and
+                // `X_CAL_SECRET_KEY = "x-cal-secret-key"` (HTTP header constant). Both forms reduce
+                // to the same lowercase letters; no real credential is its own name re-cased.
+                const idValuePair = matchedLine.match(/\b([A-Za-z_][A-Za-z0-9_]*)\s*[:=]\s*["']([\w-]+)["']/);
+                if (idValuePair) {
+                    const canonical = (s) => s.toLowerCase().replace(/[^a-z0-9]/g, "");
+                    if (canonical(idValuePair[1]) === canonical(idValuePair[2]))
+                        continue;
+                }
                 // Skip SCREAMING_SNAKE error/status codes whose value is digits-only.
                 // e.g. `INVALID_PASSWORD = "5020"` — error code, not a credential.
                 if (/\b[A-Z][A-Z0-9_]*\s*=\s*["']\d+["']/.test(matchedLine))
@@ -922,10 +937,20 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 const varName = match[0].split(/\s*(?:===|!==|==|!=)/)[0].trim();
                 if (/(?:Count|Length|Balance|Map|List|Array|Index|Size|Total|Num|Id|Type|Name|Status|Data|Info|Error|Result|Response|Config|Option|Url|Path|Provider|Model|Limit|Quota|Rate|Max|Min)/i.test(varName))
                     continue;
-                // Look at what comes after the operator. If it's a string literal, null, undefined,
-                // or a number — this is an emptiness/type check, not a secret comparison.
+                // Look at what comes after the operator. If it's a string/template literal, null,
+                // undefined, true/false, or a number — this is an emptiness/type check, not a
+                // secret comparison. The earlier shape only matched empty literals (`''`/`""`),
+                // missing the common `typeof x === "object"` / `=== "string"` shapes.
                 const afterOp = code.substring(match.index + match[0].length).trimStart();
-                if (/^(?:''|""|``|null\b|undefined\b|\d|0x|true\b|false\b)/.test(afterOp))
+                if (/^(?:'[^']*'|"[^"]*"|`[^`]*`|null\b|undefined\b|\d|0x|true\b|false\b)/.test(afterOp))
+                    continue;
+                // Client-side React code is not exposed to remote timing attacks: the comparison
+                // runs in the user's own browser, where the attacker already has full control of
+                // execution timing (network jitter doesn't help them, and a same-machine attacker
+                // has easier paths than timing). Skip when the file is a client component.
+                const isClientFile = /^['"]use client['"]/.test(code.trimStart()) ||
+                    /\b(?:useState|useEffect|useReducer|useRef|useMemo|useCallback|useContext|useTransition|useSyncExternalStore|useLayoutEffect)\s*\(/.test(code);
+                if (isClientFile)
                     continue;
             }
             // Skip VG1005 (.or() filter injection) when all interpolated variables are

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.1.8",
+  "version": "3.1.10",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security MCP for vibe coding. 390 rules, 36 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis, +25 AI-native rules (MCP supply-chain, RAG/vector poisoning, agent loop DoS, public-prefix LLM keys, sandbox bypass). Plus Next.js, Supabase, Clerk, Stripe, Prisma, tRPC, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK, and the full AI-generated stack.",
   "type": "module",