npm - guardvibe - Versions diffs - 3.25.0 → 3.27.0 - Mend

guardvibe 3.25.0 → 3.27.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md +18 -0
package/build/tools/ast-engine.d.ts +12 -0
package/build/tools/ast-engine.js +144 -12
package/build/tools/taint-analysis.js +39 -0
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,24 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [3.27.0] - 2026-06-25
+### Improved — AST engine: multi-hop SQL-injection taint (no rule/tool count change: 450 rules / 39 tools)
+- **Multi-hop bare-variable SQL sinks.** Dataflow analysis now catches the case where a user-tainted SQL string is built into a *variable* and that bare variable is passed to a query sink (`const q = "SELECT ... " + req.body.x; db.sequelize.query(q)`). The inline taint patterns only match the dangerous string when it appears literally in the sink call, so they missed the variable-indirection (multi-hop) shape; the AST locates sinks whose first argument is a bare identifier and confirms it is a tainted SQL string before reporting.
+- **High precision / zero-FP guarding:** reports only when the variable is user-tainted *and* its definition is provably a SQL string (carries SQL keywords) — a parameterized query (`db.query(q, [userVal])`) stays silent (the SQL string has no tainted source; the user value rides the bind array), as does a non-SQL `.query(opts)` or a sanitizer-wrapped service-layer build. Deterministic (bundled TypeScript parser).
+- Corpus delta: 1 real SQL-injection caught that the inline patterns missed, zero false positives, zero drift on other rules. 7 new tests.
+Gate green (build / lint / test / self-audit PASS / A / 0).
+## [3.26.0] - 2026-06-25
+### Improved — AST engine: inter-procedural & nested ownership for BOLA/IDOR (no rule/tool count change: 450 rules / 39 tools)
+- **VG950 (find-by-id BOLA) precision via the AST engine.** The ownership guard now also recognizes two real-world authorization shapes the same-function analysis structurally could not see: (1) an ownership field nested inside a relation filter (`members: { some: { userId } }`, `teams.some.team.members.some.userId`), and (2) an **inter-procedural** check — an authorization helper the function calls *before* the query, passing both a session value and the same id (`isAdminForUser(ctx.user.id, targetId)` → throw, then `findUnique({ where: { id: targetId } })`). The same inter-procedural guard now also applies to VG951 (delete/update BOLA).
+- **Soundness preserved:** only a session/auth-derived ownership value counts — a request-controlled value (`req.body.UserId`) is attacker-chosen and keeps firing. Deterministic (bundled TypeScript parser, no resolution of the scanned project's copy).
+- Corpus delta: 3 confirmed false positives removed, zero true positives lost, zero drift on other rules. 8 new tests.
+Gate green (build / lint / test / self-audit PASS / A / 0).
 ## [3.25.0] - 2026-06-24
 ### Fixed — QA hardening pass (no rule/tool count change: 450 rules / 39 tools)

package/build/tools/ast-engine.d.ts CHANGED Viewed

@@ -26,6 +26,18 @@ export declare function bolaOwnershipGuarded(code: string, filePath: string | un
  * false on uncertainty so a genuinely unguarded mutation keeps firing.
  */
 export declare function bolaMutationGuarded(code: string, filePath: string | undefined, line: number): boolean;
+/**
+ * Find SQL-sink calls whose first argument is a BARE identifier (the multi-hop shape
+ * the inline regex can't see). Returns the 1-based sink line and the variable name so
+ * the taint engine can confirm the variable is a user-tainted SQL string before
+ * reporting. Empty (no suppression of other paths) when TypeScript is unavailable or
+ * the parse fails. The first argument must be a plain identifier — an inline
+ * string/template/concat is already covered by the regex sinks and is skipped here.
+ */
+export declare function bareVarSqlSinks(code: string, filePath?: string): Array<{
+    line: number;
+    varName: string;
+}>;
 /**
  * True when the argument to a `new RegExp(...)` at `line` is PROVABLY a constant
  * (a string literal, a variable assigned from a string literal, or the callback

package/build/tools/ast-engine.js CHANGED Viewed

@@ -150,6 +150,96 @@ const OWNERSHIP_FIELDS = new Set([
 // A comparison of a fetched resource's ownership field, on a line that also references a session/user.
 const OWNERSHIP_COMPARE = /\.\s*(?:userId|ownerId|authorId|createdById|teamId|workspaceId|orgId|organizationId|tenantId|memberId|accountId|projectId)\b\s*(?:===|!==|==|!=)/i;
 const SESSION_REF = /\b(?:session|ctx|auth|currentUser|viewer|member|account|workspace|team|org|self|me|user)\b/i;
+// A value text that is directly request/route-controlled is attacker-chosen, so an
+// ownership field scoped to it (`UserId: req.body.UserId`, `workspaceId: params.x`)
+// is NOT a real guard — the request can name any owner. Only session/auth-derived
+// values count. (Mirrors the existing top-level `params|searchParams` exclusion,
+// extended to req/request so juice-shop's `req.body.UserId` scoping keeps firing.)
+const REQUEST_CONTROLLED = /\b(?:req|request|params|searchParams)\b/;
+/**
+ * Recursively scan a `where` object literal for an ownership field (at any nesting
+ * depth, e.g. `members: { some: { userId: ... } }`) whose value is session-derived
+ * (not request-controlled). The line/regex engine and the prior top-level-only scan
+ * miss ownership nested inside relation filters.
+ */
+function whereHasNestedOwnership(ts, sf, obj) {
+    for (const prop of obj.properties) {
+        const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
+        if (ts.isPropertyAssignment(prop)) {
+            if (nm && OWNERSHIP_FIELDS.has(nm)) {
+                const valText = prop.initializer.getText(sf);
+                if (!REQUEST_CONTROLLED.test(valText))
+                    return true;
+            }
+            if (ts.isObjectLiteralExpression(prop.initializer) && whereHasNestedOwnership(ts, sf, prop.initializer))
+                return true;
+        }
+        else if (ts.isShorthandPropertyAssignment(prop) && nm && OWNERSHIP_FIELDS.has(nm)) {
+            // `where: { userId }` — the bound variable carries the ownership scope.
+            return true;
+        }
+    }
+    return false;
+}
+// An authz/ownership-check helper: an action verb + an authz noun (isAdminForUser,
+// assertOwnership, checkAccess, requirePermission, ensureMemberRole…) or a bare
+// authorize/authorise. Names like formatId/getUserById deliberately do NOT match.
+const AUTHZ_HELPER = /^(?:authoris|authoriz)e|^(?:is|assert|ensure|require|check|verify|can|has|validate|guard|protect|enforce)[A-Za-z]*(?:owner|admin|member|access|permission|auth|allowed|belongs|role)/i;
+/** The text of the `where.id` value (or the call's first-arg id) the call is keyed by. */
+function findKeyedIdText(ts, sf, call) {
+    const arg0 = call.arguments[0];
+    if (arg0 && ts.isObjectLiteralExpression(arg0)) {
+        const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
+        const whereObj = whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)
+            ? whereProp.initializer : arg0;
+        const idProp = whereObj.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "id");
+        if (idProp && ts.isPropertyAssignment(idProp))
+            return idProp.initializer.getText(sf);
+    }
+    return undefined;
+}
+/**
+ * Inter-procedural ownership guard: the enclosing function calls an authz-named
+ * helper BEFORE the find/mutation, passing both a session value and the same id the
+ * query is keyed by (`isAdminForUser(ctx.user.id, input.forUserId)` → throw, then
+ * `findUnique({ where: { id: input.forUserId } })`). This is the case VG950/VG951's
+ * same-function analysis structurally can't see. Conservative on every axis (authz
+ * name + session ref + exact id-sharing + textually-before) so an unrelated guard
+ * can't hide a real BOLA.
+ */
+function hasInterProceduralOwnershipGuard(ts, sf, target) {
+    const idText = findKeyedIdText(ts, sf, target);
+    // Require a specific id expression (a member access or a sufficiently long name);
+    // a bare `id` is too generic to match a helper argument soundly.
+    if (!idText || (!idText.includes(".") && idText.length < 5))
+        return false;
+    let fn = target;
+    while (fn && !(ts.isFunctionDeclaration(fn) || ts.isFunctionExpression(fn) || ts.isArrowFunction(fn) || ts.isMethodDeclaration(fn))) {
+        fn = fn.parent;
+    }
+    if (!fn)
+        return false;
+    const targetStart = target.getStart(sf);
+    let guarded = false;
+    const visit = (node) => {
+        if (guarded)
+            return;
+        if (ts.isCallExpression(node) && node !== target && node.getStart(sf) < targetStart) {
+            const callee = node.expression;
+            const method = ts.isPropertyAccessExpression(callee) ? callee.name.text
+                : ts.isIdentifier(callee) ? callee.text : undefined;
+            if (method && AUTHZ_HELPER.test(method)) {
+                const argsText = node.arguments.map(a => a.getText(sf)).join(", ");
+                if (SESSION_REF.test(argsText) && argsText.includes(idText))
+                    guarded = true;
+            }
+        }
+        if (!guarded)
+            ts.forEachChild(node, visit);
+    };
+    visit(fn);
+    return guarded;
+}
 /** The first CallExpression near `line` whose last-identifier method is in `methods`. */
 function callNearLine(ts, sf, line, methods) {
     let target;
@@ -212,23 +302,22 @@ export function bolaOwnershipGuarded(code, filePath, line) {
     const target = callNearLine(ts, sf, line, FIND_METHODS);
     if (!target)
         return false;
-    // (1) ownership field in the WHERE clause with a non-param value.
+    // (1) ownership field in the WHERE clause with a non-param value — now scanned
+    // recursively so ownership nested inside a relation filter (`members.some.userId`)
+    // counts too, with a session-derived (not request-controlled) value.
     const arg0 = target.arguments[0];
     if (arg0 && ts.isObjectLiteralExpression(arg0)) {
         const whereProp = arg0.properties.find(p => ts.isPropertyAssignment(p) && p.name && ts.isIdentifier(p.name) && p.name.text === "where");
-        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)) {
-            for (const prop of whereProp.initializer.properties) {
-                const nm = prop.name && ts.isIdentifier(prop.name) ? prop.name.text : undefined;
-                if (nm && OWNERSHIP_FIELDS.has(nm)) {
-                    const valText = ts.isPropertyAssignment(prop) ? prop.initializer.getText(sf) : nm;
-                    if (!/\b(?:params|searchParams)\b/.test(valText))
-                        return true;
-                }
-            }
+        if (whereProp && ts.isPropertyAssignment(whereProp) && ts.isObjectLiteralExpression(whereProp.initializer)
+            && whereHasNestedOwnership(ts, sf, whereProp.initializer)) {
+            return true;
         }
     }
     // (2) post-fetch ownership comparison against a session/user value, in the same function.
-    return hasPostFetchOwnershipGuard(ts, sf, target);
+    if (hasPostFetchOwnershipGuard(ts, sf, target))
+        return true;
+    // (3) inter-procedural: an authz helper checks session + this id before the find.
+    return hasInterProceduralOwnershipGuard(ts, sf, target);
 }
 /**
  * BOLA ownership-guard detection for VG951 (delete/update). The rule's regex
@@ -253,7 +342,50 @@ export function bolaMutationGuarded(code, filePath, line) {
     const target = callNearLine(ts, sf, line, MUTATION_METHODS);
     if (!target)
         return false;
-    return hasPostFetchOwnershipGuard(ts, sf, target);
+    // Same-function post-fetch comparison, OR an inter-procedural authz helper that
+    // checked session + this id before the mutation (the helper-guard blind spot).
+    if (hasPostFetchOwnershipGuard(ts, sf, target))
+        return true;
+    return hasInterProceduralOwnershipGuard(ts, sf, target);
+}
+// SQL sink methods whose FIRST argument is the query string. The inline taint regex
+// only fires when that string is written literally in the sink call (backtick / `+`),
+// so it misses the case where the SQL string was built into a VARIABLE and the bare
+// variable is passed in (`db.sequelize.query(query)`). `.raw`/`$…Unsafe` are always
+// raw SQL; `query`/`execute` are overloaded, so taint.ts gates them on the variable
+// actually being a user-tainted SQL string.
+const SQL_RAW_SINK_METHODS = new Set(["query", "execute", "raw", "$queryRawUnsafe", "$executeRawUnsafe"]);
+/**
+ * Find SQL-sink calls whose first argument is a BARE identifier (the multi-hop shape
+ * the inline regex can't see). Returns the 1-based sink line and the variable name so
+ * the taint engine can confirm the variable is a user-tainted SQL string before
+ * reporting. Empty (no suppression of other paths) when TypeScript is unavailable or
+ * the parse fails. The first argument must be a plain identifier — an inline
+ * string/template/concat is already covered by the regex sinks and is skipped here.
+ */
+export function bareVarSqlSinks(code, filePath) {
+    const ts = getTs();
+    if (!ts)
+        return [];
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
+    }
+    catch {
+        return [];
+    }
+    const sinks = [];
+    const visit = (node) => {
+        if (ts.isCallExpression(node) && ts.isPropertyAccessExpression(node.expression)
+            && SQL_RAW_SINK_METHODS.has(node.expression.name.text)
+            && node.arguments.length > 0 && ts.isIdentifier(node.arguments[0])) {
+            const line = sf.getLineAndCharacterOfPosition(node.arguments[0].getStart(sf)).line + 1;
+            sinks.push({ line, varName: node.arguments[0].text });
+        }
+        ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return sinks;
 }
 const ITER_METHODS = new Set(["map", "forEach", "some", "every", "filter", "find", "findIndex", "reduce", "flatMap"]);
 /** First `const NAME = <initializer>` for NAME anywhere in the file (file-scope-ish). */

package/build/tools/taint-analysis.js CHANGED Viewed

@@ -5,6 +5,7 @@
  */
 import { isRuleDefinitionFile } from "./check-code.js";
 import { looksMinified } from "../utils/constants.js";
+import { bareVarSqlSinks } from "./ast-engine.js";
 // User input sources (tainted data entry points)
 const TAINT_SOURCES = [
     { pattern: /(?:req|request)\.(?:body|query|params|headers|cookies)\b/g, type: "http-input" },
@@ -300,6 +301,44 @@ export function analyzeTaint(code, language, filePath) {
                 });
             }
         }
+    // Multi-hop SQL injection: a user-tainted SQL string built into a VARIABLE and then
+    // passed BARE to a SQL sink (`const q = "SELECT ... " + req.body.x; db.query(q)`).
+    // The inline sink regexes only match the dangerous string in the sink call itself, so
+    // they miss the variable-indirection case. The AST locates sinks whose first argument
+    // is a bare identifier; we report only when that identifier is a tainted variable
+    // whose definition is provably a SQL string (contains SQL keywords) — high precision,
+    // and a parameterized query (`db.query(q, [userVal])`) stays silent because the SQL
+    // string `q` has no tainted source and the user value rides the bind array.
+    const SQL_KEYWORDS = /\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|UNION|DROP|INTO|JOIN)\b/i;
+    const hasSqlSinkCandidate = /\.\s*(?:query|execute|raw|\$queryRawUnsafe|\$executeRawUnsafe)\s*\(\s*[A-Za-z_$]/.test(code);
+    if (hasSqlSinkCandidate && SQL_KEYWORDS.test(code)) {
+        for (const site of bareVarSqlSinks(code, filePath)) {
+            const tv = taintedVars.find(v => v.name === site.varName);
+            if (!tv)
+                continue;
+            // The variable must provably hold a SQL string built from user input — its
+            // defining assignment line carries SQL keywords (so a non-SQL `.query(opts)` or a
+            // bind-parameter value never qualifies).
+            const def = lines[tv.line - 1] ?? "";
+            if (!SQL_KEYWORDS.test(def))
+                continue;
+            if (SANITIZERS.some(s => s.test(def)))
+                continue;
+            if (findings.some(f => f.sink.line === site.line && f.sink.type === "sql-injection"))
+                continue;
+            findings.push({
+                source: { type: tv.sourceType ?? "propagated", line: tv.line, variable: tv.name },
+                sink: { type: "sql-injection", line: site.line, code: (lines[site.line - 1] ?? "").trim().substring(0, 100) },
+                chain: [
+                    `[SOURCE] ${tv.sourceType ?? "propagated"} -> ${tv.name} (line ${tv.line})`,
+                    `[SINK] sql-injection (line ${site.line})`,
+                ],
+                severity: "critical",
+                description: "A user-tainted SQL string is built into a variable and passed to a query sink, enabling SQL injection.",
+                fix: "Use parameterized queries with placeholder values (bind parameters); never concatenate user input into the SQL string.",
+            });
+        }
+    }
     return findings;
 }
 export function formatTaintFindings(findings, format) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "guardvibe",
-  "version": "3.25.0",
+  "version": "3.27.0",
   "mcpName": "io.github.goklab/guardvibe",
   "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 450 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 77 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",