vbguard 0.3.0 → 0.5.1

package/src/precommit.js

@@ -0,0 +1,67 @@
+#!/usr/bin/env node
+
+/**
+ * vbguard pre-commit hook
+ *
+ * Setup:
+ *   Option 1 (husky): npx husky add .husky/pre-commit "npx vbguard-precommit"
+ *   Option 2 (manual): Copy this to .git/hooks/pre-commit and chmod +x
+ *   Option 3 (npx):    Add to package.json scripts: "precommit": "node node_modules/vbguard/src/precommit.js"
+ */
+
+const path = require('path');
+const { scanDirectory } = require('./index');
+
+const RESET = '\x1b[0m';
+const BOLD = '\x1b[1m';
+const RED = '\x1b[31m';
+const GREEN = '\x1b[32m';
+const DIM = '\x1b[2m';
+
+async function main() {
+  const dir = process.cwd();
+
+  console.log(`\n  ${BOLD}⚡ vbguard pre-commit check${RESET}\n`);
+
+  try {
+    const results = await scanDirectory(dir, {
+      staged: true,
+      offline: true,
+      severity: 'low',
+    });
+
+    const critical = results.findings.filter(f => f.severity === 'critical');
+    const high = results.findings.filter(f => f.severity === 'high');
+    const blocking = [...critical, ...high];
+
+    if (blocking.length === 0) {
+      console.log(`  ${GREEN}✓ No critical/high issues in staged files${RESET}`);
+      if (results.findings.length > 0) {
+        console.log(`  ${DIM}${results.findings.length} non-blocking issue(s) found (medium/low)${RESET}`);
+      }
+      console.log('');
+      process.exit(0);
+    }
+
+    console.log(`  ${RED}${BOLD}✗ Commit blocked — ${blocking.length} critical/high issue(s) found:${RESET}\n`);
+
+    for (const f of blocking) {
+      const sevColor = f.severity === 'critical' ? '\x1b[41m\x1b[37m' : RED;
+      console.log(`  ${sevColor}  ${f.severity.toUpperCase()}${RESET} ${f.rule}`);
+      console.log(`    ${DIM}${f.file}${f.line ? `:${f.line}` : ''}${RESET}`);
+      console.log(`    ${f.message}`);
+      if (f.fix) console.log(`    ${DIM}💡 ${f.fix}${RESET}`);
+      console.log('');
+    }
+
+    console.log(`  ${DIM}Fix these issues or use git commit --no-verify to bypass.${RESET}\n`);
+    process.exit(1);
+
+  } catch (err) {
+    console.error(`  ${RED}Error: ${err.message}${RESET}`);
+    // Don't block commits on scanner errors
+    process.exit(0);
+  }
+}
+
+main();

package/src/reporter.js

@@ -75,4 +75,129 @@ function formatReport(results, opts = {}) {
   }
 }
 
-module.exports = { formatReport };
+// === SARIF format for GitHub Code Scanning ===
+function formatSarif(results, baseDir) {
+  const SEVERITY_MAP = { critical: 'error', high: 'error', medium: 'warning', low: 'note' };
+
+  const rules = [];
+  const ruleIds = new Set();
+  const sarifResults = [];
+
+  for (const finding of results.findings) {
+    if (!ruleIds.has(finding.rule)) {
+      ruleIds.add(finding.rule);
+      rules.push({
+        id: finding.rule,
+        shortDescription: { text: finding.rule },
+        fullDescription: { text: finding.message },
+        defaultConfiguration: { level: SEVERITY_MAP[finding.severity] || 'note' },
+        helpUri: 'https://www.npmjs.com/package/vbguard',
+      });
+    }
+
+    sarifResults.push({
+      ruleId: finding.rule,
+      level: SEVERITY_MAP[finding.severity] || 'note',
+      message: { text: finding.message + (finding.fix ? `\n\nFix: ${finding.fix}` : '') },
+      locations: [{
+        physicalLocation: {
+          artifactLocation: { uri: finding.file ? finding.file.replace(/\\/g, '/') : '' },
+          region: { startLine: finding.line || 1 },
+        },
+      }],
+    });
+  }
+
+  return {
+    version: '2.1.0',
+    $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'vbguard',
+          version: '0.5.1',
+          informationUri: 'https://www.npmjs.com/package/vbguard',
+          rules,
+        },
+      },
+      results: sarifResults,
+    }],
+  };
+}
+
+// === Security score (0-100) ===
+function formatScore(results) {
+  const { findings, summary } = results;
+
+  // Weighted deductions
+  const WEIGHTS = { critical: 20, high: 10, medium: 3, low: 1 };
+  let deductions = 0;
+  for (const f of findings) {
+    deductions += WEIGHTS[f.severity] || 1;
+  }
+
+  // Score: start at 100, deduct, floor at 0
+  const score = Math.max(0, Math.min(100, 100 - deductions));
+
+  let label, color;
+  if (score >= 90) { label = 'excellent'; color = '\x1b[32m'; }
+  else if (score >= 70) { label = 'good'; color = '\x1b[33m'; }
+  else if (score >= 50) { label = 'needs work'; color = '\x1b[33m'; }
+  else if (score >= 30) { label = 'poor'; color = '\x1b[31m'; }
+  else { label = 'critical'; color = '\x1b[31m'; }
+
+  console.log('');
+  console.log(`  ${BOLD}vbguard security score:${RESET}`);
+  console.log('');
+
+  // Score bar
+  const filled = Math.round(score / 5);
+  const empty = 20 - filled;
+  const bar = `${color}${'█'.repeat(filled)}${DIM}${'░'.repeat(empty)}${RESET}`;
+  console.log(`  ${bar} ${color}${BOLD}${score}/100${RESET} — ${label}`);
+  console.log('');
+
+  if (summary.critical > 0) console.log(`  \x1b[31m● ${summary.critical} critical\x1b[0m`);
+  if (summary.high > 0) console.log(`  \x1b[31m● ${summary.high} high\x1b[0m`);
+  if (summary.medium > 0) console.log(`  \x1b[33m● ${summary.medium} medium\x1b[0m`);
+  if (summary.low > 0) console.log(`  \x1b[36m● ${summary.low} low\x1b[0m`);
+
+  console.log(`\n  ${DIM}Scanned ${summary.filesScanned} files in ${summary.elapsed}ms${RESET}\n`);
+
+  return score;
+}
+
+// === Fix suggestions file (.vbguard-fixes.md) ===
+function formatFixes(results, baseDir) {
+  const { findings } = results;
+  if (findings.length === 0) return '# vbguard — No issues found\n\nYour project is clean! 🎉\n';
+
+  // Group by file
+  const byFile = {};
+  for (const f of findings) {
+    const file = f.file || '(project-level)';
+    if (!byFile[file]) byFile[file] = [];
+    byFile[file].push(f);
+  }
+
+  let md = '# vbguard — Suggested Fixes\n\n';
+  md += `> Generated by vbguard v0.5.1\n`;
+  md += `> ${findings.length} issues found across ${Object.keys(byFile).length} files\n\n`;
+
+  for (const [file, items] of Object.entries(byFile)) {
+    md += `## \`${file}\`\n\n`;
+    for (const item of items) {
+      const sevIcon = { critical: '🚨', high: '🔴', medium: '🟡', low: '🔵' }[item.severity] || '⚪';
+      md += `### ${sevIcon} ${item.rule}${item.line ? ` (line ${item.line})` : ''}\n\n`;
+      md += `**Issue:** ${item.message}\n\n`;
+      if (item.fix) {
+        md += `**Fix:** ${item.fix}\n\n`;
+      }
+      md += '---\n\n';
+    }
+  }
+
+  return md;
+}
+
+module.exports = { formatReport, formatSarif, formatScore, formatFixes };

package/src/scanners/auth-flow.js

@@ -0,0 +1,234 @@
+function scanAuthFlow(ctx) {
+  const { content, relativePath, ext } = ctx;
+  const findings = [];
+  const lines = content.split('\n');
+  const isJS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].includes(ext);
+  const isPy = ['.py', '.pyw'].includes(ext);
+
+  if (!isJS && !isPy) return findings;
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    const lineNum = i + 1;
+    const trimmed = line.trim();
+
+    // Skip comments
+    if (trimmed.startsWith('//') || trimmed.startsWith('#') || trimmed.startsWith('*')) continue;
+
+    // === JWT with no expiration ===
+    if (isJS && /jwt\.sign\s*\(/.test(line) && !/expiresIn/.test(line) && !/exp\s*:/.test(line)) {
+      // Only look ahead for multi-line jwt.sign calls (check if line has unbalanced parens)
+      let context = line;
+      const openParens = (line.match(/\(/g) || []).length;
+      const closeParens = (line.match(/\)/g) || []).length;
+      if (openParens > closeParens) {
+        // Multi-line call — look ahead until parens balance
+        for (let j = i + 1; j < Math.min(i + 5, lines.length); j++) {
+          context += ' ' + lines[j];
+          if (/\)\s*;?\s*$/.test(lines[j])) break;
+        }
+      }
+      if (!/expiresIn/.test(context) && !/exp[\s]*:/.test(context)) {
+        findings.push({
+          rule: 'auth/jwt-no-expiration',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'JWT token created without an expiration time. Tokens that never expire are a major security risk — if stolen, they grant permanent access.',
+          fix: 'Add { expiresIn: "1h" } or similar as the options parameter to jwt.sign().',
+        });
+      }
+    }
+
+    // === JWT with weak/hardcoded secret ===
+    if (isJS) {
+      const jwtMatch = line.match(/jwt\.sign\s*\([^,]+,\s*['"`]([^'"`]+)['"`]/);
+      if (jwtMatch) {
+        const secret = jwtMatch[1].toLowerCase();
+        const weakSecrets = ['secret', 'password', 'key123', 'key', 'mysecret', 'test', 'abc123', 'changeme', 'default', 'jwt_secret', 'supersecret', 'token'];
+        if (weakSecrets.includes(secret) || secret.length < 8) {
+          findings.push({
+            rule: 'auth/jwt-weak-secret',
+            severity: 'critical',
+            file: relativePath,
+            line: lineNum,
+            message: `JWT signed with weak/hardcoded secret "${jwtMatch[1]}". This allows anyone to forge valid tokens.`,
+            fix: 'Use a strong, randomly generated secret stored in an environment variable: jwt.sign(payload, process.env.JWT_SECRET, { expiresIn: "1h" })',
+          });
+        }
+      }
+    }
+
+    // === User enumeration — different error messages for "not found" vs "wrong password" ===
+    if (isJS || isPy) {
+      const userNotFoundPatterns = [
+        /['"`]user\s*not\s*found['"`]/i,
+        /['"`]no\s*user\s*(with|found|exists)['"`]/i,
+        /['"`]account\s*not\s*found['"`]/i,
+        /['"`]email\s*not\s*(found|registered)['"`]/i,
+        /['"`]invalid\s*email['"`]/i,
+        /['"`]unknown\s*user['"`]/i,
+      ];
+      const wrongPassPatterns = [
+        /['"`](wrong|incorrect|invalid)\s*password['"`]/i,
+        /['"`]password\s*(is\s*)?(wrong|incorrect|invalid|mismatch)['"`]/i,
+      ];
+
+      const hasUserNotFound = userNotFoundPatterns.some(p => p.test(line));
+      const hasWrongPass = wrongPassPatterns.some(p => p.test(line));
+
+      if (hasUserNotFound || hasWrongPass) {
+        // Check nearby lines for the complement
+        const nearby = lines.slice(Math.max(0, i - 15), Math.min(lines.length, i + 15)).join('\n');
+        const nearbyHasUserNotFound = userNotFoundPatterns.some(p => p.test(nearby));
+        const nearbyHasWrongPass = wrongPassPatterns.some(p => p.test(nearby));
+        if (nearbyHasUserNotFound && nearbyHasWrongPass) {
+          findings.push({
+            rule: 'auth/user-enumeration',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: 'Login returns different error messages for "user not found" vs "wrong password". This allows attackers to enumerate valid usernames/emails.',
+            fix: 'Return the same generic message for all auth failures: "Invalid email or password". Never reveal which field was wrong.',
+          });
+        }
+      }
+    }
+
+    // === Session/token stored in localStorage ===
+    if (isJS && /localStorage\.setItem\s*\(/.test(line)) {
+      const tokenPatterns = /localStorage\.setItem\s*\(\s*['"`](token|auth|jwt|session|access_token|refresh_token|api_key|apikey|secret)['"`]/i;
+      if (tokenPatterns.test(line)) {
+        findings.push({
+          rule: 'auth/token-in-localstorage',
+          severity: 'high',
+          file: relativePath,
+          line: lineNum,
+          message: 'Authentication token stored in localStorage. This is vulnerable to XSS attacks — any injected script can steal the token.',
+          fix: 'Use httpOnly cookies for authentication tokens. They cannot be accessed by JavaScript and are immune to XSS theft.',
+        });
+      }
+    }
+
+    // === OAuth open redirect — accepting any redirect_uri ===
+    if (isJS) {
+      if (/redirect_uri\s*[:=]\s*(req\.(query|body|params)|request\.(args|form|json))/.test(line) ||
+          /callback.*url\s*[:=]\s*(req\.(query|body|params))/.test(line)) {
+        const context = lines.slice(i, Math.min(i + 10, lines.length)).join('\n');
+        if (!/whitelist|allowlist|allowed|validate|startsWith|includes|indexOf|match/.test(context)) {
+          findings.push({
+            rule: 'auth/oauth-open-redirect',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: 'OAuth redirect_uri taken directly from user input without validation. Attackers can redirect auth callbacks to their server and steal tokens.',
+            fix: 'Validate redirect_uri against a whitelist of allowed URLs. Never accept arbitrary redirect targets.',
+          });
+        }
+      }
+    }
+
+    // === Password reset with no rate limiting ===
+    if (isJS) {
+      const isResetEndpoint = /(reset|forgot)[-_]?password/i.test(line) && /(post|put|patch|route|handler)/i.test(line);
+      if (isResetEndpoint) {
+        const context = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 20)).join('\n');
+        if (!/rateLimit|rate_limit|rateLimiter|throttle|cooldown|limiter/.test(context)) {
+          findings.push({
+            rule: 'auth/password-reset-no-rate-limit',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: 'Password reset endpoint with no rate limiting. Attackers can spam password reset emails or brute-force reset tokens.',
+            fix: 'Add rate limiting to password reset endpoints. Limit to ~3 requests per email per hour.',
+          });
+        }
+      }
+    }
+
+    // === Signup with no email verification ===
+    if (isJS) {
+      const isSignupEndpoint = /(signup|sign-up|register|create[-_]?account|create[-_]?user)/i.test(line) && /(post|route|handler|async|function|=>)/i.test(line);
+      if (isSignupEndpoint) {
+        const context = lines.slice(i, Math.min(lines.length, i + 30)).join('\n');
+        if (!/verif|confirm|activation|email.*token|token.*email|sendEmail|send_email|sendMail|send_verification/.test(context)) {
+          findings.push({
+            rule: 'auth/signup-no-email-verification',
+            severity: 'medium',
+            file: relativePath,
+            line: lineNum,
+            message: 'Signup endpoint with no email verification. Allows anyone to create accounts with fake emails, enabling spam and abuse.',
+            fix: 'Send a verification email with a unique token after signup. Don\'t activate the account until the email is confirmed.',
+          });
+        }
+      }
+    }
+
+    // === Supabase auth with no email confirmation ===
+    if (isJS && /supabase.*\.auth\.signUp\s*\(/.test(line)) {
+      const context = lines.slice(i, Math.min(lines.length, i + 10)).join('\n');
+      if (/emailRedirectTo|email_confirm|emailConfirm/.test(context) === false) {
+        findings.push({
+          rule: 'auth/supabase-no-email-confirm',
+          severity: 'medium',
+          file: relativePath,
+          line: lineNum,
+          message: 'Supabase signUp with no email confirmation configured. Users can register with any email address without verifying ownership.',
+          fix: 'Enable email confirmation in Supabase Dashboard → Auth → Settings. Use emailRedirectTo in signUp options.',
+        });
+      }
+    }
+
+    // === Inverted auth check (allow unauthenticated, block authenticated) ===
+    if (isJS) {
+      // Patterns like: if (user) return res.status(403) or if (req.user) throw unauthorized
+      if (/if\s*\(\s*(req\.user|user|session|isAuthenticated|authenticated|currentUser|auth)/.test(line)) {
+        const context = lines.slice(i, Math.min(lines.length, i + 5)).join(' ');
+        if (/\b(403|401|forbidden|unauthorized|deny|reject|throw|redirect.*login)\b/i.test(context) &&
+            !/logout|signout|sign.out/i.test(context)) {
+          // Check it's not "if (!user)"
+          if (!/if\s*\(\s*!/.test(line)) {
+            findings.push({
+              rule: 'auth/inverted-auth-check',
+              severity: 'critical',
+              file: relativePath,
+              line: lineNum,
+              message: 'Authentication check appears to be inverted — blocking authenticated users instead of unauthenticated ones. This is the exact pattern behind the Lovable security vulnerability where authenticated users were denied access while anonymous users were allowed in.',
+              fix: 'Verify the auth logic: you likely want if (!user) return 401, not if (user) return 403. Check every auth guard for correct polarity.',
+            });
+          }
+        }
+      }
+    }
+
+    // === API routes with no auth middleware ===
+    if (isJS) {
+      const routeMatch = line.match(/(?:app|router)\.(get|post|put|patch|delete)\s*\(\s*['"`]\/api\//);
+      if (routeMatch) {
+        // Check if there's middleware between the path and handler
+        const routeContext = lines.slice(i, Math.min(lines.length, i + 3)).join(' ');
+        // Count args between path and final callback
+        const argsAfterPath = routeContext.match(/\(\s*['"`][^'"`]+['"`]\s*,\s*(.*)\)/s);
+        if (argsAfterPath) {
+          const middlewareSection = argsAfterPath[1];
+          // If it goes straight to (req, res) or async (req, res) with no middleware
+          if (/^\s*(async\s+)?\(\s*(req|ctx)\s*,/.test(middlewareSection) ||
+              /^\s*(async\s+)?function\s*\(\s*(req|ctx)\s*,/.test(middlewareSection)) {
+            findings.push({
+              rule: 'auth/api-route-no-middleware',
+              severity: 'medium',
+              file: relativePath,
+              line: lineNum,
+              message: `API route "${routeMatch[0]}" has no authentication middleware. Any unauthenticated user can access this endpoint.`,
+              fix: 'Add auth middleware before the route handler: app.get("/api/...", authMiddleware, handler). Or use app.use("/api", authMiddleware) for all API routes.',
+            });
+          }
+        }
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanAuthFlow };

package/src/scanners/firebase.js

@@ -0,0 +1,124 @@
+function scanFirebase(ctx) {
+  const { content, relativePath, ext, basename } = ctx;
+  const findings = [];
+  const lines = content.split('\n');
+  const isJS = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'].includes(ext);
+
+  // === Firestore rules ===
+  if (basename === 'firestore.rules' || (ext === '.rules' && /cloud\.firestore/.test(content))) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNum = i + 1;
+
+      if (/allow\s+(?:read|write|create|update|delete)(?:\s*,\s*(?:read|write|create|update|delete))*\s*:\s*if\s+true/.test(line)) {
+        findings.push({
+          rule: 'firebase/firestore-permissive-rules',
+          severity: 'critical',
+          file: relativePath,
+          line: lineNum,
+          message: 'Firestore rules allow unrestricted access with "if true". Anyone on the internet can read and write all data.',
+          fix: 'Replace with auth-based rules: allow read, write: if request.auth != null && request.auth.uid == resource.data.userId;',
+        });
+      }
+    }
+  }
+
+  // === Realtime Database rules ===
+  if (basename === 'database.rules.json' || (ext === '.json' && /\.read|\.write/.test(content))) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNum = i + 1;
+
+      if (/['"]\.(read|write)['"]\s*:\s*['"]?true['"]?/.test(line)) {
+        findings.push({
+          rule: 'firebase/rtdb-permissive-rules',
+          severity: 'critical',
+          file: relativePath,
+          line: lineNum,
+          message: 'Realtime Database rules grant unrestricted read/write access. Anyone can read and modify all data.',
+          fix: 'Set ".read": "auth != null" and ".write": "auth != null" at minimum. Better: use per-path rules tied to auth.uid.',
+        });
+      }
+    }
+  }
+
+  // === Storage rules ===
+  if (basename === 'storage.rules' || (ext === '.rules' && /firebase\.storage/.test(content))) {
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNum = i + 1;
+
+      if (/allow\s+(?:read|write).*:\s*if\s+true/.test(line)) {
+        findings.push({
+          rule: 'firebase/storage-permissive-rules',
+          severity: 'critical',
+          file: relativePath,
+          line: lineNum,
+          message: 'Firebase Storage rules allow unrestricted access. Anyone can upload or download any file.',
+          fix: 'Add auth conditions: allow read, write: if request.auth != null; Use path-based rules to restrict access.',
+        });
+      }
+
+      if (/allow\s+(?:read|write)/.test(line) && !/auth|request\.auth/.test(line) && !/if\s+false/.test(line)) {
+        const context = lines.slice(Math.max(0, i - 2), Math.min(lines.length, i + 2)).join('\n');
+        if (!/auth|request\.auth/.test(context)) {
+          findings.push({
+            rule: 'firebase/storage-no-auth',
+            severity: 'high',
+            file: relativePath,
+            line: lineNum,
+            message: 'Firebase Storage rule has no auth condition. This storage path is accessible without authentication.',
+            fix: 'Add request.auth != null to the rule condition.',
+          });
+        }
+      }
+    }
+  }
+
+  // === JS/TS file checks ===
+  if (isJS) {
+    const isClientSide = /['"`]use client['"`]|components?\/|pages?\/|public\/|src\/app/.test(relativePath.replace(/\\/g, '/')) ||
+      content.includes("'use client'") || content.includes('"use client"');
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNum = i + 1;
+      const trimmed = line.trim();
+
+      if (trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+      // === Firebase Admin SDK in client-side code ===
+      if (isClientSide) {
+        if (/firebase-admin|require\s*\(\s*['"`]firebase-admin['"`]\)|from\s+['"`]firebase-admin/.test(line)) {
+          findings.push({
+            rule: 'firebase/admin-sdk-in-client',
+            severity: 'critical',
+            file: relativePath,
+            line: lineNum,
+            message: 'Firebase Admin SDK imported in client-side code. The Admin SDK has full database access and should never run in the browser.',
+            fix: 'Move Firebase Admin SDK usage to server-side code only (API routes, Cloud Functions, server components).',
+          });
+        }
+      }
+
+      // === Firebase config with no App Check ===
+      if (/firebaseConfig|firebase\.initializeApp|initializeApp\s*\(/.test(line)) {
+        if (!/appCheck|AppCheck|app-check|ReCaptcha|reCAPTCHA/.test(content)) {
+          findings.push({
+            rule: 'firebase/no-app-check',
+            severity: 'medium',
+            file: relativePath,
+            line: lineNum,
+            message: 'Firebase initialized without App Check. Without App Check, anyone can use your Firebase API key to access your backend resources from their own app.',
+            fix: 'Enable Firebase App Check with reCAPTCHA or similar attestation provider to prevent API abuse.',
+          });
+          break; // Only report once per file
+        }
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanFirebase };