guardvibe 3.16.0 → 3.18.0

package/CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.18.0] - 2026-06-09
+
+### Added — FAZ 3 part c: AST BOLA mutation-guard detection for VG951 (442 rules / 37 tools)
+- **VG951 (BOLA — delete/update without ownership) is now AST-aware for the `find → compare → mutate` pattern.** The rule's regex already excludes an ownership field inside the mutation's WHERE clause; its only blind spot was a bare-id mutation preceded by a separate ownership check. `bolaMutationGuarded` (AST) suppresses VG951 when the enclosing function performs a **post-fetch ownership comparison** of the fetched resource against the session (e.g. `const s = await prisma.schedule.findUnique({ where: { id } }); if (s?.userId !== user.id) throw; await prisma.schedule.delete({ where: { id } })`). Anything without that comparison keeps firing.
+- Reuses the part-1/2 AST engine — factored a shared `callNearLine` anchor finder and `hasPostFetchOwnershipGuard` (the case-2 ownership-comparison check) out of `bolaOwnershipGuarded`, then anchored it on the mutation call instead of the find call.
+- **Validated (clean stash diff): VG951 11 → 9; both removed are genuinely ownership-guarded** — cal `delete.handler` (`findUnique select userId → if (scheduleToDelete?.userId !== user.id) throw UNAUTHORIZED → delete`) and cal `ScheduleService.update` (`findUnique → if (userSchedule?.userId !== user.id) require team edit-permission else throw → update`). **0 true positives lost, 0 false positives added, 0 other-rule drift.** 5 new mutation-guard tests (10 BOLA tests total).
+- No rule or tool changes (442 / 37). FAZ 3 part c.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.17.0] - 2026-06-09
+
+### Added — FAZ 3 part 3: AST constant-origin detection for VG126 (442 rules / 37 tools)
+- **VG126 ("Dynamic RegExp from User Input") no longer fires when the argument is provably constant.** `regexpArgIsConstant` (AST) suppresses `new RegExp(x)` when `x` is: a string literal, a variable assigned from a string literal, the callback parameter of an iteration over a const string-array (incl. an imported SCREAMING_SNAKE_CASE list, by convention), or `someRegExp.source`/`.flags` (cloning a compiled RegExp). Minified bundles are skipped too. Anything not provably constant keeps firing.
+- **Validated (clean stash diff): VG126 29 → 21; all 8 removed are confirmed non-user-input** — dub `detect-bot` ×2 (`UA_BOTS`/`REFERRER_BOTS` bot-pattern lists), a minified vendor bundle, and payload `deepCopyObject` ×5 (`new RegExp(cur.source, cur.flags)` RegExp clones). **0 true positives lost, 0 false positives added.** 10 RegExp tests.
+- No rule or tool changes (442 / 37). FAZ 3 part 3 (reuses the part-1 AST engine).
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.16.0] - 2026-06-08
 
 ### Added — FAZ 3 part 2: AST BOLA ownership-guard detection for VG950 (442 rules / 37 tools)

package/build/tools/ast-engine.d.ts

@@ -16,3 +16,22 @@ export declare function paramReachesSink(code: string, filePath?: string): boole
  * firing — for a BOLA rule we prefer a false positive over hiding a real one.
  */
 export declare function bolaOwnershipGuarded(code: string, filePath: string | undefined, line: number): boolean;
+/**
+ * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
+ * already suppresses an ownership field inside the mutation's WHERE clause (via a
+ * negative lookahead), so the only blind spot is the find → compare → mutate
+ * pattern: the mutation's where-clause is a bare id, but the enclosing function
+ * fetched the resource and compared its ownership field against the session first.
+ * Returns true (→ suppress) only when that post-fetch comparison is present;
+ * false on uncertainty so a genuinely unguarded mutation keeps firing.
+ */
+export declare function bolaMutationGuarded(code: string, filePath: string | undefined, line: number): boolean;
+/**
+ * True when the argument to a `new RegExp(...)` at `line` is PROVABLY a constant
+ * (a string literal, a variable assigned from a string literal, or the callback
+ * parameter of an iteration over a const string-array — the "bot list" pattern),
+ * so VG126 ("Dynamic RegExp from user input") is a false positive there. Returns
+ * false on any uncertainty so the rule keeps firing — a regex built from anything
+ * not provably constant stays flagged.
+ */
+export declare function regexpArgIsConstant(code: string, filePath: string | undefined, line: number): boolean;

package/build/tools/ast-engine.js

@@ -137,6 +137,10 @@ export function paramReachesSink(code, filePath) {
     return sinkArgs.some(args => refsTaint(args, tainted));
 }
 const FIND_METHODS = new Set(["findUnique", "findFirst", "findById", "findOne", "getOne"]);
+// Mutation sinks for VG951 (delete/update BOLA) — the last identifier of the callee.
+const MUTATION_METHODS = new Set([
+    "delete", "update", "destroy", "remove", "deleteMany", "updateMany", "deleteOne", "updateOne",
+]);
 const OWNERSHIP_FIELDS = new Set([
     "userId", "user_id", "ownerId", "owner_id", "authorId", "author_id", "createdById", "createdBy", "created_by",
     "accountId", "account_id", "tenantId", "tenant_id", "orgId", "org_id", "organizationId",
@@ -146,6 +150,44 @@ const OWNERSHIP_FIELDS = new Set([
 // A comparison of a fetched resource's ownership field, on a line that also references a session/user.
 const OWNERSHIP_COMPARE = /\.\s*(?:userId|ownerId|authorId|createdById|teamId|workspaceId|orgId|organizationId|tenantId|memberId|accountId|projectId)\b\s*(?:===|!==|==|!=)/i;
 const SESSION_REF = /\b(?:session|ctx|auth|currentUser|viewer|member|account|workspace|team|org|self|me|user)\b/i;
+/** The first CallExpression near `line` whose last-identifier method is in `methods`. */
+function callNearLine(ts, sf, line, methods) {
+    let target;
+    const visit = (node) => {
+        if (!target && ts.isCallExpression(node)) {
+            const callee = node.expression;
+            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
+                : ts.isIdentifier(callee) ? callee.text : undefined;
+            if (method && methods.has(method)) {
+                const startLine = sf.getLineAndCharacterOfPosition(node.getStart(sf)).line + 1;
+                if (Math.abs(startLine - line) <= 1)
+                    target = node;
+            }
+        }
+        if (!target)
+            ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return target;
+}
+/**
+ * True when the function enclosing `node` performs a post-fetch ownership
+ * comparison — an ownership field (`fetched.userId`) compared against a
+ * session/user value on the same line (`!== ctx.user.id`). Same-function only
+ * (no inter-procedural tracing), matching the line/regex engine's precision.
+ */
+function hasPostFetchOwnershipGuard(ts, sf, node) {
+    let fn = node;
+    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+        fn = fn.parent;
+    }
+    const body = fn ? fn.getText(sf) : sf.getText();
+    for (const ln of body.split("\n")) {
+        if (OWNERSHIP_COMPARE.test(ln) && SESSION_REF.test(ln))
+            return true;
+    }
+    return false;
+}
 /**
  * BOLA ownership-guard detection for VG950 (find-by-user-id). Returns true (the
  * query is ownership-guarded → suppress the finding) when EITHER:
@@ -167,22 +209,7 @@ export function bolaOwnershipGuarded(code, filePath, line) {
     catch {
         return false;
     }
-    let target;
-    const visit = (node) => {
-        if (!target && ts.isCallExpression(node)) {
-            const callee = node.expression;
-            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
-                : ts.isIdentifier(callee) ? callee.text : undefined;
-            if (method && FIND_METHODS.has(method)) {
-                const startLine = sf.getLineAndCharacterOfPosition(node.getStart(sf)).line + 1;
-                if (Math.abs(startLine - line) <= 1)
-                    target = node;
-            }
-        }
-        if (!target)
-            ts.forEachChild(node, visit);
-    };
-    visit(sf);
+    const target = callNearLine(ts, sf, line, FIND_METHODS);
     if (!target)
         return false;
     // (1) ownership field in the WHERE clause with a non-param value.
@@ -201,14 +228,120 @@ export function bolaOwnershipGuarded(code, filePath, line) {
         }
     }
     // (2) post-fetch ownership comparison against a session/user value, in the same function.
-    let fn = target;
-    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+    return hasPostFetchOwnershipGuard(ts, sf, target);
+}
+/**
+ * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
+ * already suppresses an ownership field inside the mutation's WHERE clause (via a
+ * negative lookahead), so the only blind spot is the find → compare → mutate
+ * pattern: the mutation's where-clause is a bare id, but the enclosing function
+ * fetched the resource and compared its ownership field against the session first.
+ * Returns true (→ suppress) only when that post-fetch comparison is present;
+ * false on uncertainty so a genuinely unguarded mutation keeps firing.
+ */
+export function bolaMutationGuarded(code, filePath, line) {
+    const ts = getTs();
+    if (!ts)
+        return false;
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
+    }
+    catch {
+        return false;
+    }
+    const target = callNearLine(ts, sf, line, MUTATION_METHODS);
+    if (!target)
+        return false;
+    return hasPostFetchOwnershipGuard(ts, sf, target);
+}
+const ITER_METHODS = new Set(["map", "forEach", "some", "every", "filter", "find", "findIndex", "reduce", "flatMap"]);
+/** First `const NAME = <initializer>` for NAME anywhere in the file (file-scope-ish). */
+function findVarInit(ts, sf, name) {
+    let found;
+    const visit = (node) => {
+        if (!found && ts.isVariableDeclaration(node) && ts.isIdentifier(node.name) && node.name.text === name && node.initializer) {
+            found = node.initializer;
+        }
+        if (!found)
+            ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return found;
+}
+/** A non-empty array literal whose elements are all string/template literals (a const pattern list). */
+function isConstStringArray(ts, sf, node) {
+    // SCREAMING_SNAKE_CASE identifier = constant by convention (often an imported list).
+    if (ts.isIdentifier(node) && /^[A-Z][A-Z0-9_]+$/.test(node.text))
+        return true;
+    let arr = node;
+    if (ts.isIdentifier(node))
+        arr = findVarInit(ts, sf, node.text);
+    if (arr && ts.isArrayLiteralExpression(arr)) {
+        return arr.elements.length > 0 &&
+            arr.elements.every(el => ts.isStringLiteral(el) || ts.isNoSubstitutionTemplateLiteral(el));
+    }
+    return false;
+}
+/**
+ * True when the argument to a `new RegExp(...)` at `line` is PROVABLY a constant
+ * (a string literal, a variable assigned from a string literal, or the callback
+ * parameter of an iteration over a const string-array — the "bot list" pattern),
+ * so VG126 ("Dynamic RegExp from user input") is a false positive there. Returns
+ * false on any uncertainty so the rule keeps firing — a regex built from anything
+ * not provably constant stays flagged.
+ */
+export function regexpArgIsConstant(code, filePath, line) {
+    const ts = getTs();
+    if (!ts)
+        return false;
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
+    }
+    catch {
+        return false;
+    }
+    let target;
+    const visit = (node) => {
+        if (!target && ts.isNewExpression(node) && ts.isIdentifier(node.expression) && node.expression.text === "RegExp"
+            && node.arguments && node.arguments.length > 0) {
+            const startLine = sf.getLineAndCharacterOfPosition(node.getStart(sf)).line + 1;
+            if (Math.abs(startLine - line) <= 1)
+                target = node;
+        }
+        if (!target)
+            ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    if (!target || !target.arguments)
+        return false;
+    const arg = target.arguments[0];
+    if (ts.isStringLiteral(arg) || ts.isNoSubstitutionTemplateLiteral(arg))
+        return true;
+    // `new RegExp(x.source, x.flags)` — cloning an existing compiled RegExp, not user input.
+    if (ts.isPropertyAccessExpression(arg) && (arg.name.text === "source" || arg.name.text === "flags"))
+        return true;
+    if (!ts.isIdentifier(arg))
+        return false;
+    const argName = arg.text;
+    // (a) const argName = "literal"
+    const init = findVarInit(ts, sf, argName);
+    if (init && (ts.isStringLiteral(init) || ts.isNoSubstitutionTemplateLiteral(init)))
+        return true;
+    // (b) argName is the callback parameter of an iteration over a const string array.
+    let fn = target.parent;
+    while (fn && !((ts.isArrowFunction(fn) || ts.isFunctionExpression(fn))
+        && fn.parameters.some(p => ts.isIdentifier(p.name) && p.name.text === argName))) {
         fn = fn.parent;
     }
-    const body = fn ? fn.getText(sf) : code;
-    for (const ln of body.split("\n")) {
-        if (OWNERSHIP_COMPARE.test(ln) && SESSION_REF.test(ln))
+    if (fn && (ts.isArrowFunction(fn) || ts.isFunctionExpression(fn))) {
+        const call = fn.parent;
+        if (call && ts.isCallExpression(call) && ts.isPropertyAccessExpression(call.expression)
+            && ITER_METHODS.has(call.expression.name.text)
+            && isConstStringArray(ts, sf, call.expression.expression)) {
             return true;
+        }
     }
     return false;
 }

package/build/tools/check-code.js

@@ -4,7 +4,7 @@ import { loadConfig } from "../utils/config.js";
 import { loadIgnoreFile, isIgnored } from "../utils/ignore.js";
 import { securityBanner } from "../utils/banner.js";
 import { looksMinified } from "../utils/constants.js";
-import { paramReachesSink, bolaOwnershipGuarded } from "./ast-engine.js";
+import { paramReachesSink, bolaOwnershipGuarded, bolaMutationGuarded, regexpArgIsConstant } from "./ast-engine.js";
 /** CVE version-pin rule IDs are VG900-VG931 (and only these). Other VG9xx IDs
  * (VG983 Turso, VG990 SVG, VG998 OpenAI browser flag, etc.) are regular code-pattern
  * rules and should NOT be exempted from comment / string-literal skip logic. */
@@ -886,6 +886,18 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
             // `userId` that only appears in `select`, and sees a separate comparison statement.
             if (rule.id === "VG950" && filePath && bolaOwnershipGuarded(code, filePath, lineNumber))
                 continue;
+            // VG951 (BOLA delete/update): the regex already suppresses an ownership field
+            // inside the mutation's WHERE clause, so its only blind spot is the
+            // find → compare → mutate pattern — a bare-id mutation preceded by a post-fetch
+            // ownership comparison against the session. Suppress only when AST proves it.
+            if (rule.id === "VG951" && filePath && bolaMutationGuarded(code, filePath, lineNumber))
+                continue;
+            // VG126 (Dynamic RegExp from User Input): the regex matches `new RegExp(anyVar)`,
+            // but the var is often a provable constant — a string literal or the callback
+            // param iterating a const string array (the classic bot-UA / referrer-list pattern).
+            // Suppress only when AST proves the argument is constant; anything else keeps firing.
+            if (rule.id === "VG126" && (looksMinified(code) || (filePath && regexpArgIsConstant(code, filePath, lineNumber))))
+                continue;
             // VG202: skip when the FROM target matches a previous AS-alias in the same file.
             if (dockerStageAliases) {
                 const target = match[0].replace(/^FROM\s+/i, "").split(/[:@\s]/)[0].toLowerCase();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.16.0",
+  "version": "3.18.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 442 rules, 37 tools, CLI + doctor. Host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 71 CVE rules refreshed daily from GHSA/OSV/CISA KEV — Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",