guardvibe 3.26.0 → 3.28.0

package/CHANGELOG.md

@@ -5,6 +5,22 @@ All notable changes to GuardVibe are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.28.0] - 2026-06-25
+
+### Added — 1 rule from daily intel: i18next missing-key prototype pollution (450 → 451 rules)
+- **VG1097 — i18next missing-key prototype pollution (CVE-2026-48713 / CVE-2026-48714, critical).** Two i18next missing-key handlers write attacker-supplied key segments onto `Object.prototype`: `i18next-fs-backend` before 2.6.6 (GHSA-2933-q333-qg83) persists `__proto__.polluted`-style keys, and `i18next-http-middleware` before 3.9.7 (GHSA-f49m-vf83-692w) blocks literal `__proto__` but not dotted variants that downstream backends split on `keySeparator`. Both published 2026-06-25. Distinct from the existing `i18next-http-backend` path-traversal rule (different package). 0-FP semver: a caret on the current major (^2 / ^3) and a tilde within the fixed minor resolve to the patched release, so only exact/= pins and ranges that stay in the vulnerable line are flagged. CVE version-pin rule count 77 → 78. 16 tests.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
+## [3.27.0] - 2026-06-25
+
+### Improved — AST engine: multi-hop SQL-injection taint (no rule/tool count change: 450 rules / 39 tools)
+- **Multi-hop bare-variable SQL sinks.** Dataflow analysis now catches the case where a user-tainted SQL string is built into a *variable* and that bare variable is passed to a query sink (`const q = "SELECT ... " + req.body.x; db.sequelize.query(q)`). The inline taint patterns only match the dangerous string when it appears literally in the sink call, so they missed the variable-indirection (multi-hop) shape; the AST locates sinks whose first argument is a bare identifier and confirms it is a tainted SQL string before reporting.
+- **High precision / zero-FP guarding:** reports only when the variable is user-tainted *and* its definition is provably a SQL string (carries SQL keywords) — a parameterized query (`db.query(q, [userVal])`) stays silent (the SQL string has no tainted source; the user value rides the bind array), as does a non-SQL `.query(opts)` or a sanitizer-wrapped service-layer build. Deterministic (bundled TypeScript parser).
+- Corpus delta: 1 real SQL-injection caught that the inline patterns missed, zero false positives, zero drift on other rules. 7 new tests.
+
+Gate green (build / lint / test / self-audit PASS / A / 0).
+
 ## [3.26.0] - 2026-06-25
 
 ### Improved — AST engine: inter-procedural & nested ownership for BOLA/IDOR (no rule/tool count change: 450 rules / 39 tools)

package/README.md

@@ -9,13 +9,13 @@
 > **Security infrastructure your AI can't be.**
 > No matter how good your coding agent gets, it can't know the CVE published after its training cutoff, it can't deterministically guarantee the same check every run, it can't hold your whole repo in context, and it can't objectively review its own code. GuardVibe does all four — the deterministic, post-cutoff-current, whole-repo, author-independent verification layer for AI-written code.
 
-- **🗓️ Knows what your AI doesn't.** CVE rules refreshed **daily** from GHSA / OSV.dev / CISA KEV — GuardVibe flags vulnerable dependencies published *after* your model's training cutoff. (77 CVE rules, `npm run intel` daily triage.)
+- **🗓️ Knows what your AI doesn't.** CVE rules refreshed **daily** from GHSA / OSV.dev / CISA KEV — GuardVibe flags vulnerable dependencies published *after* your model's training cutoff. (78 CVE rules, `npm run intel` daily triage.)
 - **🎯 Deterministic, not probabilistic.** Same code = same result, every run (content-hashed). Your AI guesses; GuardVibe doesn't.
 - **🗺️ Sees the whole repo.** Cross-file taint + auth-coverage across every route — catches the unprotected endpoint your agent's narrow context missed.
 - **🔍 An independent second pair of eyes.** The thing that wrote the code can't review itself. GuardVibe is the outside checker on AI-written code — in the loop *while* your AI codes (real-time edit hook), not after.
 - **⬅️ NEW: Starts before the first line of code.** Every scanner on earth — including your agent reviewing itself — acts *after* the code exists. [`secure_prompt`](#prompt-level-security-shift-left) acts *before*: it analyzes the coding prompt itself, detects the stack and attack surfaces it implies, and embeds severity-ranked GuardVibe requirements into the prompt your AI executes. The vulnerability is prevented, not caught. Deterministic, zero LLM calls — and if the prompt is already secure, it passes through untouched.
 
-**The security MCP built for vibe coding.** 450 security rules, 39 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
+**The security MCP built for vibe coding.** 451 security rules, 39 tools covering the entire AI-generated code journey — from the prompt itself to production deployment.
 
 Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf**, and any MCP-compatible coding agent.
 
@@ -27,11 +27,11 @@ Works with **Claude Code, Cursor, Gemini CLI, Codex, VS Code (Copilot), Windsurf
 
 Most security tools are built for enterprise security teams. GuardVibe is built for **you** — the developer using AI to build and ship web apps fast.
 
-- **450 security rules, 39 tools** purpose-built for the stacks AI agents generate
+- **451 security rules, 39 tools** purpose-built for the stacks AI agents generate
 - **Zero setup friction** — `npx guardvibe` and you're scanning
 - **No account required** — runs 100% locally, no API keys, no cloud
 - **Understands your stack** — not generic SAST, but rules that know Next.js, Supabase, Stripe, Clerk, and the tools you actually use
-- **CVE version intelligence** — detects 77 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV
+- **CVE version intelligence** — detects 78 known vulnerable package versions in package.json, refreshed every day from GHSA / OSV.dev / CISA KEV
 - **AI agent & MCP security** — detects MCP server vulnerabilities, tool-description prompt injection (OWASP MCP Top 10), model-controlled sandbox-disable flags, excessive AI permissions, indirect prompt injection
 - **Auto-fix suggestions** — `fix_code` tool returns concrete patches and structured edits the AI agent can apply mechanically. Coverage: hardcoded credentials → env-var migration; public-prefix LLM keys (`NEXT_PUBLIC_/VITE_/EXPO_PUBLIC_/REACT_APP_`) → prefix removal; CORS wildcards → env allowlist; `dangerouslyAllowBrowser` flags → drop; sandbox bypass flags (`unsafe`/`noSandbox`/`allowEval`) → drop; agent loops → add `maxSteps`; raw-HTML React props → `<ReactMarkdown>`; missing auth checks → insert auth guard; SQL injection → parameterized queries; missing rate limiters / CSRF / security headers → snippet templates.
 - **Pre-commit hook** — block insecure code before it reaches your repo
@@ -62,10 +62,10 @@ GuardVibe is purpose-built for the AI coding workflow. Traditional tools are exc
 | AI/LLM security (prompt injection, MCP, tool abuse) | 68 rules | Experimental/None | None |
 | AI host security (CVE-2025-59536, CVE-2026-21852) | `guardvibe doctor` | Not supported | Not supported |
 | Auto-fix suggestions for AI agents | `fix_code` tool | CLI autofix | Not supported |
-| CVE version detection | 77 packages, refreshed daily | Extensive | Extensive |
+| CVE version detection | 78 packages, refreshed daily | Extensive | Extensive |
 | Compliance mapping (SOC2, PCI-DSS, HIPAA) | Built-in | Paid tier | None |
 | SARIF CI/CD export | Yes | Yes | Limited |
-| Rule count | 450 (focused, 68 AI-native) | 5000+ (broad) | N/A |
+| Rule count | 451 (focused, 68 AI-native) | 5000+ (broad) | N/A |
 
 **When to use GuardVibe:** You're building with AI agents and want security scanning integrated into your coding workflow — no dashboard, no account, no CI setup.
 
@@ -190,7 +190,7 @@ React Native, Expo — AsyncStorage secrets, deep link token exposure, hardcoded
 ### Firebase
 Firestore security rules, Firebase Admin SDK exposure, storage rules, custom token validation
 
-### CVE Version Intelligence (77 CVEs, refreshed daily)
+### CVE Version Intelligence (78 CVEs, refreshed daily)
 **Frameworks:** Next.js (CVE-2024-34351, CVE-2024-46982, CVE-2025-29927, CVE-2026-23869, CVE-2026-44573 / 44574 / 44575 / 44578 / 44579 / 45109 May 2026 cluster), React + react-server-dom-* (CVE-2025-55182, CVE-2026-23870), Express, Hono pre-4.12.18 cluster, @vitejs/plugin-rsc, Strapi content-type-builder (CVE-2026-22599)
 **Auth:** Clerk middleware bypass (GHSA-vqx2), Clerk `has()` org/billing/reverification bypass (GHSA-w24r), Clerk `clerkFrontendApiProxy` SSRF (CVE-2026-34076), NextAuth.js (2 CVEs), jsonwebtoken
 **ORMs / SQL:** Drizzle SQL identifier injection (CVE-2026-39356) + Drizzle `sql.raw` interpolation (VG1073), MikroORM SQL injection (CVE-2026-44680), Prisma raw-query call-form, Kysely JSON-path traversal (CVE-2026-44635)
@@ -302,7 +302,7 @@ The offline tier is also a `full_audit` section (online never runs inside the au
 { "slopscan": { "online": true, "allow": ["@myorg/internal-pkg"] } }
 ```
 
-## Security Rules (450 rules across 25 modules)
+## Security Rules (451 rules across 25 modules)
 
 | Category | Rules | Coverage |
 |----------|-------|----------|
@@ -321,7 +321,7 @@ The offline tier is also a `full_audit` section (online never runs inside the au
 | AI / LLM Security | 33 | Prompt injection, MCP SSRF, excessive agency, indirect injection |
 | **AI Host Security** | **14** | **CVE-2025-59536 hook injection, CVE-2026-21852 base URL hijack, MCP config audit** |
 | **AI Tool Runtime** | **14** | **MCP tool output sanitization, obfuscated descriptions, safety bypass** |
-| CVE Version Intelligence | 75 | Known vulnerable versions in package.json — incl. Vite dev-server cmd injection (CVE-2024-52011), React Router 7 cluster (CVE-2026-33245/42211/42342), DOMPurify XSS (CVE-2026-47423), Better Auth bypass (CVE-2026-45337), Axios supply-chain backdoor |
+| CVE Version Intelligence | 76 | Known vulnerable versions in package.json — incl. Vite dev-server cmd injection (CVE-2024-52011), React Router 7 cluster (CVE-2026-33245/42211/42342), DOMPurify XSS (CVE-2026-47423), Better Auth bypass (CVE-2026-45337), Axios supply-chain backdoor |
 | Shell / Bash | 5 | Pipe to bash, chmod 777, rm -rf, sudo password |
 | SQL | 4 | DROP/DELETE without WHERE, stacked queries, GRANT ALL |
 | Supply Chain | 19 | Malicious install scripts, lockfile integrity, dependency confusion, typosquat detection |

package/build/data/rules/cve-versions.js

@@ -901,4 +901,16 @@ export const cveVersionRules = [
         fixCode: '// package.json\n"@clerk/nextjs": "^4.29.3"  // legacy 4.x; prefer migrating to ^6 / ^7\n\n// Defence-in-depth — bind the action to the authed user, never a client-supplied id\nimport { auth } from "@clerk/nextjs/server";\nexport async function GET() {\n  const { userId } = await auth();\n  if (!userId) return new Response("Unauthorized", { status: 401 });\n  const data = await db.record.findFirst({ where: { ownerId: userId } });\n}',
         compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.10", "HIPAA:§164.312(a)"],
     },
+    {
+        id: "VG1097",
+        name: "i18next missing-key Prototype Pollution (CVE-2026-48713 / CVE-2026-48714)",
+        severity: "critical",
+        owasp: "A03:2025 Injection",
+        description: "Two i18next missing-key handlers are vulnerable to prototype pollution via crafted key strings. i18next-fs-backend before 2.6.6 (CVE-2026-48713 / GHSA-2933-q333-qg83), when persisting missing translation keys, writes attacker-supplied segments like '__proto__.polluted' onto Object.prototype. i18next-http-middleware before 3.9.7 (CVE-2026-48714 / GHSA-f49m-vf83-692w) blocks literal __proto__/constructor/prototype keys but not dotted variants, which downstream backends split on keySeparator and write to the prototype — remote prototype pollution wherever the missing-key handler accepts untrusted input. Fixed in 2.6.6 and 3.9.7 respectively. 0-FP semver: a caret range on the current major (^2 / ^3) and a tilde within the fixed minor resolve to the patched release, so only exact/= pins (and tilde/exact within the still-vulnerable lines, plus any range on an older major) are flagged.",
+        pattern: /["']i18next-fs-backend["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[01]\.\d+\.\d+|(?:~|=)?\s*2\.[0-5]\.\d+|=?\s*2\.6\.[0-5](?![0-9]))["']|["']i18next-http-middleware["']\s*:\s*["'](?:(?:\^|~|>=?)?\s*[0-2]\.\d+\.\d+|(?:~|=)?\s*3\.[0-8]\.\d+|=?\s*3\.9\.[0-6](?![0-9]))["']/g,
+        languages: ["json"],
+        fix: "Upgrade i18next-fs-backend to 2.6.6+ and i18next-http-middleware to 3.9.7+: npm install i18next-fs-backend@latest i18next-http-middleware@latest. As defence-in-depth, reject any incoming translation key whose segments include __proto__, constructor, or prototype before passing it to a missing-key handler.",
+        fixCode: '// package.json\n"i18next-fs-backend": "^2.6.6",  // or latest\n"i18next-http-middleware": "^3.9.7"  // or latest',
+        compliance: ["SOC2:CC6.1", "PCI-DSS:Req6.5.1", "HIPAA:§164.312(a)"],
+    },
 ];

package/build/tools/ast-engine.d.ts

@@ -26,6 +26,18 @@ export declare function bolaOwnershipGuarded(code: string, filePath: string | un
  * false on uncertainty so a genuinely unguarded mutation keeps firing.
  */
 export declare function bolaMutationGuarded(code: string, filePath: string | undefined, line: number): boolean;
+/**
+ * Find SQL-sink calls whose first argument is a BARE identifier (the multi-hop shape
+ * the inline regex can't see). Returns the 1-based sink line and the variable name so
+ * the taint engine can confirm the variable is a user-tainted SQL string before
+ * reporting. Empty (no suppression of other paths) when TypeScript is unavailable or
+ * the parse fails. The first argument must be a plain identifier — an inline
+ * string/template/concat is already covered by the regex sinks and is skipped here.
+ */
+export declare function bareVarSqlSinks(code: string, filePath?: string): Array<{
+    line: number;
+    varName: string;
+}>;
 /**
  * True when the argument to a `new RegExp(...)` at `line` is PROVABLY a constant
  * (a string literal, a variable assigned from a string literal, or the callback

package/build/tools/ast-engine.js

@@ -348,6 +348,45 @@ export function bolaMutationGuarded(code, filePath, line) {
         return true;
     return hasInterProceduralOwnershipGuard(ts, sf, target);
 }
+// SQL sink methods whose FIRST argument is the query string. The inline taint regex
+// only fires when that string is written literally in the sink call (backtick / `+`),
+// so it misses the case where the SQL string was built into a VARIABLE and the bare
+// variable is passed in (`db.sequelize.query(query)`). `.raw`/`$…Unsafe` are always
+// raw SQL; `query`/`execute` are overloaded, so taint.ts gates them on the variable
+// actually being a user-tainted SQL string.
+const SQL_RAW_SINK_METHODS = new Set(["query", "execute", "raw", "$queryRawUnsafe", "$executeRawUnsafe"]);
+/**
+ * Find SQL-sink calls whose first argument is a BARE identifier (the multi-hop shape
+ * the inline regex can't see). Returns the 1-based sink line and the variable name so
+ * the taint engine can confirm the variable is a user-tainted SQL string before
+ * reporting. Empty (no suppression of other paths) when TypeScript is unavailable or
+ * the parse fails. The first argument must be a plain identifier — an inline
+ * string/template/concat is already covered by the regex sinks and is skipped here.
+ */
+export function bareVarSqlSinks(code, filePath) {
+    const ts = getTs();
+    if (!ts)
+        return [];
+    let sf;
+    try {
+        sf = ts.createSourceFile(filePath ?? "file.ts", code, ts.ScriptTarget.Latest, true, scriptKindFor(ts, filePath));
+    }
+    catch {
+        return [];
+    }
+    const sinks = [];
+    const visit = (node) => {
+        if (ts.isCallExpression(node) && ts.isPropertyAccessExpression(node.expression)
+            && SQL_RAW_SINK_METHODS.has(node.expression.name.text)
+            && node.arguments.length > 0 && ts.isIdentifier(node.arguments[0])) {
+            const line = sf.getLineAndCharacterOfPosition(node.arguments[0].getStart(sf)).line + 1;
+            sinks.push({ line, varName: node.arguments[0].text });
+        }
+        ts.forEachChild(node, visit);
+    };
+    visit(sf);
+    return sinks;
+}
 const ITER_METHODS = new Set(["map", "forEach", "some", "every", "filter", "find", "findIndex", "reduce", "flatMap"]);
 /** First `const NAME = <initializer>` for NAME anywhere in the file (file-scope-ish). */
 function findVarInit(ts, sf, name) {

package/build/tools/taint-analysis.js

@@ -5,6 +5,7 @@
  */
 import { isRuleDefinitionFile } from "./check-code.js";
 import { looksMinified } from "../utils/constants.js";
+import { bareVarSqlSinks } from "./ast-engine.js";
 // User input sources (tainted data entry points)
 const TAINT_SOURCES = [
     { pattern: /(?:req|request)\.(?:body|query|params|headers|cookies)\b/g, type: "http-input" },
@@ -300,6 +301,44 @@ export function analyzeTaint(code, language, filePath) {
                 });
             }
         }
+    // Multi-hop SQL injection: a user-tainted SQL string built into a VARIABLE and then
+    // passed BARE to a SQL sink (`const q = "SELECT ... " + req.body.x; db.query(q)`).
+    // The inline sink regexes only match the dangerous string in the sink call itself, so
+    // they miss the variable-indirection case. The AST locates sinks whose first argument
+    // is a bare identifier; we report only when that identifier is a tainted variable
+    // whose definition is provably a SQL string (contains SQL keywords) — high precision,
+    // and a parameterized query (`db.query(q, [userVal])`) stays silent because the SQL
+    // string `q` has no tainted source and the user value rides the bind array.
+    const SQL_KEYWORDS = /\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|UNION|DROP|INTO|JOIN)\b/i;
+    const hasSqlSinkCandidate = /\.\s*(?:query|execute|raw|\$queryRawUnsafe|\$executeRawUnsafe)\s*\(\s*[A-Za-z_$]/.test(code);
+    if (hasSqlSinkCandidate && SQL_KEYWORDS.test(code)) {
+        for (const site of bareVarSqlSinks(code, filePath)) {
+            const tv = taintedVars.find(v => v.name === site.varName);
+            if (!tv)
+                continue;
+            // The variable must provably hold a SQL string built from user input — its
+            // defining assignment line carries SQL keywords (so a non-SQL `.query(opts)` or a
+            // bind-parameter value never qualifies).
+            const def = lines[tv.line - 1] ?? "";
+            if (!SQL_KEYWORDS.test(def))
+                continue;
+            if (SANITIZERS.some(s => s.test(def)))
+                continue;
+            if (findings.some(f => f.sink.line === site.line && f.sink.type === "sql-injection"))
+                continue;
+            findings.push({
+                source: { type: tv.sourceType ?? "propagated", line: tv.line, variable: tv.name },
+                sink: { type: "sql-injection", line: site.line, code: (lines[site.line - 1] ?? "").trim().substring(0, 100) },
+                chain: [
+                    `[SOURCE] ${tv.sourceType ?? "propagated"} -> ${tv.name} (line ${tv.line})`,
+                    `[SINK] sql-injection (line ${site.line})`,
+                ],
+                severity: "critical",
+                description: "A user-tainted SQL string is built into a variable and passed to a query sink, enabling SQL injection.",
+                fix: "Use parameterized queries with placeholder values (bind parameters); never concatenate user input into the SQL string.",
+            });
+        }
+    }
     return findings;
 }
 export function formatTaintFindings(findings, format) {

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "guardvibe",
-  "version": "3.26.0",
+  "version": "3.28.0",
   "mcpName": "io.github.goklab/guardvibe",
-  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 450 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 77 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
+  "description": "Security infrastructure your AI can't be — deterministic, current past your model's training cutoff, whole-repo-aware, author-independent. Security MCP for vibe coding. 451 rules, 39 tools, CLI + doctor. Prompt-level shift-left security (secure_prompt — embed security requirements BEFORE code generation), host security, auth coverage mapping, LLM-powered deep scan (IDOR/business logic), taint analysis. 78 CVE rules refreshed daily from GHSA/OSV/CISA KEV — js-cookie cookie-attribute injection, PostCSS </style> stringify XSS, Axios proxy prototype-pollution gadget, Vite dev-server RCE, React Router 7 cluster, DOMPurify XSS, Better Auth bypass, Miasma @redhat-cloud-services compromise, Next.js May 2026 13-advisory cluster, Drizzle/MikroORM/Kysely SQL injection, Axios proxy-auth redirect leak, Hono setCookie attribute injection, Clerk SSRF, tRPC prototype pollution, @tanstack supply-chain, node-ipc protestware, OpenClaude sandbox bypass, plus the full AI-generated stack (Supabase, Stripe, Prisma, Hono, GraphQL, Convex, Turso, Uploadthing, AI SDK). 68 AI-native rules including OWASP MCP Top 10 tool-description prompt injection (VG1068), model-controlled sandbox-disable flag detection (VG1063), Session messenger exfil endpoint IOC (VG1075), and CI/CD supply-chain hardening (VG1070 npm --expect-provenance / --ignore-scripts enforcement).",
   "type": "module",
   "bin": {
     "guardvibe": "build/cli.js",