guardvibe 3.14.2 → 3.16.0

package/CHANGELOG.md

@@ -5,6 +5,27 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.16.0] - 2026-06-08
+
+### Added — FAZ 3 part 2: AST BOLA ownership-guard detection for VG950 (442 rules / 37 tools)
+- **VG950 (BOLA — find-by-id without ownership) is now AST-aware.** It had no ownership handling at all (VG951 already excludes where-clause ownership). `bolaOwnershipGuarded` suppresses VG950 when the AST proves the query is ownership-guarded — EITHER an ownership field in the **WHERE clause** with a non-route-param value, OR a same-function **post-fetch ownership comparison** of the fetched resource against the session (e.g. `if (eventType.userId !== ctx.user.id) throw`).
+- **Precise where the regex can't be:** it ignores a `userId` that only appears in `select` (a regex lookahead would suppress on that → false negative), it sees an ownership check that lives in a separate statement, and it refuses to count an ownership field whose value is itself a route param (still BOLA).
+- **Validated (clean stash diff): VG950 22 → 15; all 7 removed are genuinely ownership-guarded** — 3 via where-clause ownership (dub rewards/oauth-apps/tokens), 4 via post-fetch comparison (cal schedule/ooo handlers, each with a real `…userId !== user.id` check). **0 true BOLA hidden (0 false negatives), 0 false positives introduced.** 10 new tests.
+- No rule or tool changes (442 / 37). FAZ 3 part 2 (engine reused from part 1).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.15.0] - 2026-06-08
+
+### Added — FAZ 3 part 1: AST dataflow engine + precise VG406 (442 rules / 37 tools)
+- **New AST/dataflow engine** (`src/tools/ast-engine.ts`), backed by the TypeScript compiler (loaded lazily, used only on the AST path). Brings real intra-file dataflow the line/regex engine structurally can't do.
+- **VG406 (Unsanitized Dynamic Route Params) is now dataflow-aware.** Its regex bridged a `params`/`searchParams` access to ANY later DB sink via an unbounded match, false-positiving when the param never flows to that sink. `paramReachesSink` does intra-procedural taint — seeding from params/searchParams and propagating through variable assignments and query-builder calls — so VG406 fires only on a real param → sink flow (multi-hop included, the case a name-only regex misses).
+- **Validated (clean stash diff): VG406 24 → 20; all 4 removed are confirmed false positives** where `params` is a function/constructor/callback argument named "params" (not a route param) — dub `get-events`/`create-bounty-submission`, plane `filter.store`, unkey `use-logs-query`. **0 true positives lost, 0 new findings.** 10 tests (engine + integration).
+- **Runtime dependency:** added `typescript` (^5.7.0) — pure-JS, zero sub-dependencies, no native bindings, deterministic everywhere. The README claim is updated from "zero runtime dependencies" to "minimal, fully-audited runtime dependencies (MCP SDK, Zod, TypeScript compiler)". The publish workflow's npm step is already idempotent.
+- No rule or tool changes (442 / 37). First of several FAZ 3 releases (next: extend the engine to IDOR/BOLA and VG950).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.14.2] - 2026-06-08
 
 ### Fixed — VG964 false positives on App Router route segments (442 rules / 37 tools)

package/README.md

@@ -584,7 +584,7 @@ GuardVibe takes supply chain security seriously:
 - **Branch protection** — force push disabled on main, admin enforcement enabled
 - **Tag protection** — version tags (`v*`) cannot be deleted or force-pushed
 - **Minimal CI permissions** — GitHub Actions workflows use `permissions: contents: read` only
-- **Zero runtime dependencies** — only MCP SDK and Zod (both widely audited)
+- **Minimal, fully-audited runtime dependencies** — only the MCP SDK, Zod, and the TypeScript compiler (used for AST-based dataflow analysis). All three are widely-audited, zero-sub-dependency packages — no native bindings, no obscure transitive deps
 
 To report a vulnerability, please email info@goklab.com or open a GitHub issue.
 

package/build/tools/ast-engine.d.ts

@@ -0,0 +1,18 @@
+/**
+ * True if a route parameter (params / searchParams) reaches a DB/query sink in
+ * this file, following assignments and query-builder calls. Returns true (the safe
+ * default — don't suppress) when TypeScript is unavailable or parsing fails, so
+ * the rule keeps its prior behavior rather than silently hiding a finding.
+ */
+export declare function paramReachesSink(code: string, filePath?: string): boolean;
+/**
+ * BOLA ownership-guard detection for VG950 (find-by-user-id). Returns true (the
+ * query is ownership-guarded → suppress the finding) when EITHER:
+ *  (1) the find call's WHERE clause (not select!) contains an ownership field
+ *      whose value is not itself a route param, OR
+ *  (2) the enclosing function performs a post-fetch ownership comparison of an
+ *      ownership field against a session/user value.
+ * Returns false on uncertainty (no parser, no matching call) so the rule keeps
+ * firing — for a BOLA rule we prefer a false positive over hiding a real one.
+ */
+export declare function bolaOwnershipGuarded(code: string, filePath: string | undefined, line: number): boolean;

package/build/tools/ast-engine.js

@@ -0,0 +1,214 @@
+// guardvibe-ignore — AST-engine helpers; the sink-method names and taint regex
+// below are detector patterns, not vulnerable code.
+/**
+ * AST engine (FAZ 3) — real parsing + intra-file dataflow for precision the
+ * line/regex engine structurally can't reach.
+ *
+ * Backed by the TypeScript compiler's parser, loaded LAZILY and synchronously
+ * (createRequire) so non-AST scan paths pay nothing for it. `typescript` is a
+ * pure-JS, zero-sub-dependency, no-native-bindings package — the lowest
+ * supply-chain-risk parser available — and is a bundled runtime dependency so the
+ * analysis is deterministic everywhere (not dependent on the scanned project
+ * happening to have its own copy). If it can't be loaded, every helper degrades
+ * to a safe default that preserves the prior (regex-only) behavior.
+ *
+ * First capability: precise param → sink reachability for VG406. The rule's regex
+ * bridges a `params`/`searchParams` access to ANY later DB sink in the file via an
+ * unbounded `[\s\S]*?`, so it false-positives when the param never actually flows
+ * to that sink. `paramReachesSink` does real intra-procedural taint — seeding from
+ * params/searchParams and propagating through variable assignments and
+ * query-builder calls — so a param routed through an intermediate variable still
+ * counts (the case a name-only regex misses) while an unrelated sink does not.
+ */
+import { createRequire } from "module";
+let _ts = null;
+let _loadFailed = false;
+function getTs() {
+    if (_ts)
+        return _ts;
+    if (_loadFailed)
+        return null;
+    try {
+        const require = createRequire(import.meta.url);
+        _ts = require("typescript");
+        return _ts;
+    }
+    catch {
+        _loadFailed = true;
+        return null;
+    }
+}
+function scriptKindFor(ts, filePath) {
+    const f = (filePath ?? "").toLowerCase();
+    if (f.endsWith(".tsx"))
+        return ts.ScriptKind.TSX;
+    if (f.endsWith(".jsx"))
+        return ts.ScriptKind.JSX;
+    if (f.endsWith(".js") || f.endsWith(".mjs") || f.endsWith(".cjs"))
+        return ts.ScriptKind.JS;
+    return ts.ScriptKind.TS;
+}
+// DB / query sink method names (last identifier of the callee).
+const SINK_METHODS = new Set([
+    "query", "execute", "findUnique", "findFirst", "findMany", "delete", "update", "create",
+    "upsert", "aggregate", "count", "groupBy", "createMany", "updateMany", "deleteMany",
+    "raw", "$queryRaw", "$executeRaw", "$queryRawUnsafe", "$executeRawUnsafe",
+]);
+const PARAM_ROOT = /\b(?:params|searchParams)\b/;
+/** Does `text` reference a taint root (params/searchParams) or any tainted identifier? */
+function refsTaint(text, tainted) {
+    if (PARAM_ROOT.test(text))
+        return true;
+    for (const t of tainted) {
+        if (new RegExp("\\b" + t.replace(/[.*+?^${}()|[\]\\]/g, "\\$&") + "\\b").test(text))
+            return true;
+    }
+    return false;
+}
+/**
+ * True if a route parameter (params / searchParams) reaches a DB/query sink in
+ * this file, following assignments and query-builder calls. Returns true (the safe
+ * default — don't suppress) when TypeScript is unavailable or parsing fails, so
+ * the rule keeps its prior behavior rather than silently hiding a finding.
+ */
+export function paramReachesSink(code, filePath) {
+    const ts = getTs();
+    if (!ts)
+        return true;
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
+    }
+    catch {
+        return true;
+    }
+    const namesFromBinding = (name) => {
+        if (ts.isIdentifier(name))
+            return [name.text];
+        const out = [];
+        if (ts.isObjectBindingPattern(name) || ts.isArrayBindingPattern(name)) {
+            for (const el of name.elements) {
+                if (ts.isBindingElement(el))
+                    out.push(...namesFromBinding(el.name));
+            }
+        }
+        return out;
+    };
+    const assigns = [];
+    const sinkArgs = [];
+    const visit = (node) => {
+        if (ts.isVariableDeclaration(node) && node.initializer) {
+            assigns.push({ names: namesFromBinding(node.name), rhs: node.initializer.getText(sf) });
+        }
+        else if (ts.isBinaryExpression(node) && node.operatorToken.kind === ts.SyntaxKind.EqualsToken && ts.isIdentifier(node.left)) {
+            assigns.push({ names: [node.left.text], rhs: node.right.getText(sf) });
+        }
+        else if (ts.isCallExpression(node)) {
+            const callee = node.expression;
+            let method;
+            if (ts.isPropertyAccessExpression(callee))
+                method = callee.name.text;
+            else if (ts.isIdentifier(callee))
+                method = callee.text;
+            if (method && SINK_METHODS.has(method) && node.arguments.length > 0) {
+                sinkArgs.push(node.arguments.map(a => a.getText(sf)).join(", "));
+            }
+        }
+        ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    // Fixpoint taint propagation through assignments.
+    const tainted = new Set();
+    let changed = true;
+    let guard = 0;
+    while (changed && guard++ < 25) {
+        changed = false;
+        for (const a of assigns) {
+            if (refsTaint(a.rhs, tainted)) {
+                for (const n of a.names) {
+                    if (!tainted.has(n)) {
+                        tainted.add(n);
+                        changed = true;
+                    }
+                }
+            }
+        }
+    }
+    return sinkArgs.some(args => refsTaint(args, tainted));
+}
+const FIND_METHODS = new Set(["findUnique", "findFirst", "findById", "findOne", "getOne"]);
+const OWNERSHIP_FIELDS = new Set([
+    "userId", "user_id", "ownerId", "owner_id", "authorId", "author_id", "createdById", "createdBy", "created_by",
+    "accountId", "account_id", "tenantId", "tenant_id", "orgId", "org_id", "organizationId",
+    "projectId", "project_id", "workspaceId", "workspace_id", "teamId", "team_id", "memberId", "member_id",
+    "programId", "customerId",
+]);
+// A comparison of a fetched resource's ownership field, on a line that also references a session/user.
+const OWNERSHIP_COMPARE = /\.\s*(?:userId|ownerId|authorId|createdById|teamId|workspaceId|orgId|organizationId|tenantId|memberId|accountId|projectId)\b\s*(?:===|!==|==|!=)/i;
+const SESSION_REF = /\b(?:session|ctx|auth|currentUser|viewer|member|account|workspace|team|org|self|me|user)\b/i;
+/**
+ * BOLA ownership-guard detection for VG950 (find-by-user-id). Returns true (the
+ * query is ownership-guarded → suppress the finding) when EITHER:
+ *  (1) the find call's WHERE clause (not select!) contains an ownership field
+ *      whose value is not itself a route param, OR
+ *  (2) the enclosing function performs a post-fetch ownership comparison of an
+ *      ownership field against a session/user value.
+ * Returns false on uncertainty (no parser, no matching call) so the rule keeps
+ * firing — for a BOLA rule we prefer a false positive over hiding a real one.
+ */
+export function bolaOwnershipGuarded(code, filePath, line) {
+    const ts = getTs();
+    if (!ts)
+        return false;
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
+    }
+    catch {
+        return false;
+    }
+    let target;
+    const visit = (node) => {
+        if (!target && ts.isCallExpression(node)) {
+            const callee = node.expression;
+            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
+                : ts.isIdentifier(callee) ? callee.text : undefined;
+            if (method && FIND_METHODS.has(method)) {
+                const startLine = sf.getLineAndCharacterOfPosition(node.getStart(sf)).line + 1;
+                if (Math.abs(startLine - line) <= 1)
+                    target = node;
+            }
+        }
+        if (!target)
+            ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    if (!target)
+        return false;
+    // (1) ownership field in the WHERE clause with a non-param value.
+    const arg0 = target.arguments[0];
+    if (arg0 && ts.isObjectLiteralExpression(arg0)) {
+        const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
+        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)) {
+            for (const prop of whereProp.initializer.properties) {
+                const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
+                if (nm && OWNERSHIP_FIELDS.has(nm)) {
+                    const valText = ts.isPropertyAssignment(prop) ? prop.initializer.getText(sf) : nm;
+                    if (!/\b(?:params|searchParams)\b/.test(valText))
+                        return true;
+                }
+            }
+        }
+    }
+    // (2) post-fetch ownership comparison against a session/user value, in the same function.
+    let fn = target;
+    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+        fn = fn.parent;
+    }
+    const body = fn ? fn.getText(sf) : code;
+    for (const ln of body.split("\n")) {
+        if (OWNERSHIP_COMPARE.test(ln) && SESSION_REF.test(ln))
+            return true;
+    }
+    return false;
+}

package/build/tools/check-code.js

@@ -4,6 +4,7 @@ import { loadConfig } from "../utils/config.js";
 import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
 import { securityBanner } from "../utils/banner.js";
 import { looksMinified } from "../utils/constants.js";
+import { paramReachesSink, bolaOwnershipGuarded } from "./ast-engine.js";
 /** CVE version-pin rule IDs are VG900-VG931 (and only these). Other VG9xx IDs
  * (VG983 Turso, VG990 SVG, VG998 OpenAI browser flag, etc.) are regular code-pattern
  * rules and should NOT be exempted from comment / string-literal skip logic. */
@@ -674,6 +675,17 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
                 continue;
             }
         }
+        // VG406 (Unsanitized Dynamic Route Params): the regex bridges a params/searchParams
+        // access to ANY later DB sink in the file via an unbounded match, so it
+        // false-positives when the param never actually flows to that sink. Use AST
+        // dataflow (FAZ 3) to require a real param→sink flow — through assignments and
+        // query-builders, the case a name-only regex misses. Cheap guards gate the parse
+        // to files that actually contain a param + a sink (i.e. real VG406 candidates).
+        if (rule.id === "VG406" && filePath
+            && /\b(?:params|searchParams)\b/.test(code)
+            && /\b(?:query|execute|findUnique|findFirst|findMany|delete|update|create|upsert|aggregate|count|groupBy)\s*\(/.test(code)
+            && !paramReachesSink(code, filePath))
+            continue;
         // Skip SQL injection rules in schema/migration .sql files (DDL, not user input)
         if (rule.id === "VG543" && (isMigrationFile || isSqlSchemaFile))
             continue;
@@ -868,6 +880,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             const lineNumber = beforeMatch.split("\n").length;
             if (isLineSuppressed(suppressions, lineNumber, rule.id))
                 continue;
+            // VG950 (BOLA find-by-id): suppress when AST proves the query is ownership-guarded —
+            // an ownership field in the WHERE clause (non-param value) or a post-fetch ownership
+            // comparison against the session. Precise where the regex can't be: it ignores a
+            // `userId` that only appears in `select`, and sees a separate comparison statement.
+            if (rule.id === "VG950" && filePath && bolaOwnershipGuarded(code, filePath, lineNumber))
+                continue;
             // VG202: skip when the FROM target matches a previous AS-alias in the same file.
             if (dockerStageAliases) {
                 const target = match[0].replace(/^FROM\s+/i, "").split(/[:@\s]/)[0].toLowerCase();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.14.2",
+  "version": "3.16.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
@@ -107,6 +107,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.26.0",
+    "typescript": "^5.7.0",
     "zod": "^3.25.0"
   },
   "overrides": {
@@ -119,7 +120,6 @@
     "c8": "^11.0.0",
     "eslint": "^10.2.0",
     "tsx": "^4.21.0",
-    "typescript": "^5.7.0",
     "typescript-eslint": "^8.58.0"
   },
   "engines": {