guardvibe 3.25.0 → 3.26.0

package/CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.26.0] - 2026-06-25
+
+### Improved — AST engine: inter-procedural & nested ownership for BOLA/IDOR (no rule/tool count change: 450 rules / 39 tools)
+- **VG950 (find-by-id BOLA) precision via the AST engine.** The ownership guard now also recognizes two real-world authorization shapes the same-function analysis structurally could not see: (1) an ownership field nested inside a relation filter (`members: { some: { userId } }`, `teams.some.team.members.some.userId`), and (2) an **inter-procedural** check — an authorization helper the function calls *before* the query, passing both a session value and the same id (`isAdminForUser(ctx.user.id, targetId)` → throw, then `findUnique({ where: { id: targetId } })`). The same inter-procedural guard now also applies to VG951 (delete/update BOLA).
+- **Soundness preserved:** only a session/auth-derived ownership value counts — a request-controlled value (`req.body.UserId`) is attacker-chosen and keeps firing. Deterministic (bundled TypeScript parser, no resolution of the scanned project's copy).
+- Corpus delta: 3 confirmed false positives removed, zero true positives lost, zero drift on other rules. 8 new tests.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.25.0] - 2026-06-24
 
 ### Fixed — QA hardening pass (no rule/tool count change: 450 rules / 39 tools)

package/build/tools/ast-engine.js

@@ -150,6 +150,96 @@ const OWNERSHIP_FIELDS = new Set([
 // A comparison of a fetched resource's ownership field, on a line that also references a session/user.
 const OWNERSHIP_COMPARE = /\.\s*(?:userId|ownerId|authorId|createdById|teamId|workspaceId|orgId|organizationId|tenantId|memberId|accountId|projectId)\b\s*(?:===|!==|==|!=)/i;
 const SESSION_REF = /\b(?:session|ctx|auth|currentUser|viewer|member|account|workspace|team|org|self|me|user)\b/i;
+// A value text that is directly request/route-controlled is attacker-chosen, so an
+// ownership field scoped to it (`UserId: req.body.UserId`, `workspaceId: params.x`)
+// is NOT a real guard — the request can name any owner. Only session/auth-derived
+// values count. (Mirrors the existing top-level `params|searchParams` exclusion,
+// extended to req/request so juice-shop's `req.body.UserId` scoping keeps firing.)
+const REQUEST_CONTROLLED = /\b(?:req|request|params|searchParams)\b/;
+/**
+ * Recursively scan a `where` object literal for an ownership field (at any nesting
+ * depth, e.g. `members: { some: { userId: ... } }`) whose value is session-derived
+ * (not request-controlled). The line/regex engine and the prior top-level-only scan
+ * miss ownership nested inside relation filters.
+ */
+function whereHasNestedOwnership(ts, sf, obj) {
+    for (const prop of obj.properties) {
+        const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
+        if (ts.isPropertyAssignment(prop)) {
+            if (nm && OWNERSHIP_FIELDS.has(nm)) {
+                const valText = prop.initializer.getText(sf);
+                if (!REQUEST_CONTROLLED.test(valText))
+                    return true;
+            }
+            if (ts.isObjectLiteralExpression(prop.initializer) && whereHasNestedOwnership(ts, sf, prop.initializer))
+                return true;
+        }
+        else if (ts.isShorthandPropertyAssignment(prop) && nm && OWNERSHIP_FIELDS.has(nm)) {
+            // `where: { userId }` — the bound variable carries the ownership scope.
+            return true;
+        }
+    }
+    return false;
+}
+// An authz/ownership-check helper: an action verb + an authz noun (isAdminForUser,
+// assertOwnership, checkAccess, requirePermission, ensureMemberRole…) or a bare
+// authorize/authorise. Names like formatId/getUserById deliberately do NOT match.
+const AUTHZ_HELPER = /^(?:authoris|authoriz)e|^(?:is|assert|ensure|require|check|verify|can|has|validate|guard|protect|enforce)[A-Za-z]*(?:owner|admin|member|access|permission|auth|allowed|belongs|role)/i;
+/** The text of the `where.id` value (or the call's first-arg id) the call is keyed by. */
+function findKeyedIdText(ts, sf, call) {
+    const arg0 = call.arguments[0];
+    if (arg0 && ts.isObjectLiteralExpression(arg0)) {
+        const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
+        const whereObj = whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)
+            ? whereProp.initializer : arg0;
+        const idProp = whereObj.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "id");
+        if (idProp && ts.isPropertyAssignment(idProp))
+            return idProp.initializer.getText(sf);
+    }
+    return undefined;
+}
+/**
+ * Inter-procedural ownership guard: the enclosing function calls an authz-named
+ * helper BEFORE the find/mutation, passing both a session value and the same id the
+ * query is keyed by (`isAdminForUser(ctx.user.id, input.forUserId)` → throw, then
+ * `findUnique({ where: { id: input.forUserId } })`). This is the case VG950/VG951's
+ * same-function analysis structurally can't see. Conservative on every axis (authz
+ * name + session ref + exact id-sharing + textually-before) so an unrelated guard
+ * can't hide a real BOLA.
+ */
+function hasInterProceduralOwnershipGuard(ts, sf, target) {
+    const idText = findKeyedIdText(ts, sf, target);
+    // Require a specific id expression (a member access or a sufficiently long name);
+    // a bare `id` is too generic to match a helper argument soundly.
+    if (!idText || (!idText.includes(".") && idText.length < 5))
+        return false;
+    let fn = target;
+    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+        fn = fn.parent;
+    }
+    if (!fn)
+        return false;
+    const targetStart = target.getStart(sf);
+    let guarded = false;
+    const visit = (node) => {
+        if (guarded)
+            return;
+        if (ts.isCallExpression(node) && node !== target && node.getStart(sf) < targetStart) {
+            const callee = node.expression;
+            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
+                : ts.isIdentifier(callee) ? callee.text : undefined;
+            if (method && AUTHZ_HELPER.test(method)) {
+                const argsText = node.arguments.map(a => a.getText(sf)).join(", ");
+                if (SESSION_REF.test(argsText) && argsText.includes(idText))
+                    guarded = true;
+            }
+        }
+        if (!guarded)
+            ts.forEachChild(node, visit);
+    };
+    visit(fn);
+    return guarded;
+}
 /** The first CallExpression near `line` whose last-identifier method is in `methods`. */
 function callNearLine(ts, sf, line, methods) {
     let target;
@@ -212,23 +302,22 @@ export function bolaOwnershipGuarded(code, filePath, line) {
     const target = callNearLine(ts, sf, line, FIND_METHODS);
     if (!target)
         return false;
-    // (1) ownership field in the WHERE clause with a non-param value.
+    // (1) ownership field in the WHERE clause with a non-param value — now scanned
+    // recursively so ownership nested inside a relation filter (`members.some.userId`)
+    // counts too, with a session-derived (not request-controlled) value.
     const arg0 = target.arguments[0];
     if (arg0 && ts.isObjectLiteralExpression(arg0)) {
         const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
-        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)) {
-            for (const prop of whereProp.initializer.properties) {
-                const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
-                if (nm && OWNERSHIP_FIELDS.has(nm)) {
-                    const valText = ts.isPropertyAssignment(prop) ? prop.initializer.getText(sf) : nm;
-                    if (!/\b(?:params|searchParams)\b/.test(valText))
-                        return true;
-                }
-            }
+        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)
+            && whereHasNestedOwnership(ts, sf, whereProp.initializer)) {
+            return true;
         }
     }
     // (2) post-fetch ownership comparison against a session/user value, in the same function.
-    return hasPostFetchOwnershipGuard(ts, sf, target);
+    if (hasPostFetchOwnershipGuard(ts, sf, target))
+        return true;
+    // (3) inter-procedural: an authz helper checks session + this id before the find.
+    return hasInterProceduralOwnershipGuard(ts, sf, target);
 }
 /**
  * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
@@ -253,7 +342,11 @@ export function bolaMutationGuarded(code, filePath, line) {
     const target = callNearLine(ts, sf, line, MUTATION_METHODS);
     if (!target)
         return false;
-    return hasPostFetchOwnershipGuard(ts, sf, target);
+    // Same-function post-fetch comparison, OR an inter-procedural authz helper that
+    // checked session + this id before the mutation (the helper-guard blind spot).
+    if (hasPostFetchOwnershipGuard(ts, sf, target))
+        return true;
+    return hasInterProceduralOwnershipGuard(ts, sf, target);
 }
 const ITER_METHODS = new Set(["map", "forEach", "some", "every", "filter", "find", "findIndex", "reduce", "flatMap"]);
 /** First `const NAME = <initializer>` for NAME anywhere in the file (file-scope-ish). */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.25.0",
+  "version": "3.26.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 450 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 77 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",